Beyond the Wall: A New Security Paradigm
A new security paradigm shakes perimeter security.
CISOs have fought the good fight. They’ve deployed a vast arsenal of defenses to keep invaders out of the castle and to shore up their networks against external threats. Yet it hasn’t been enough. Data breaches compromise more than 6 million records every day. The global average cost of a single data breach is up 6.4 percent to $3.86 million.
Government and private sector institutions are vulnerable. The 2015 hack of the United States Office of Personnel Management, for example, involved 21.5 million records. Last year, a data breach of a major hotel chain exposed the personal information of a reported 500 million people.
Amid mounting attacks, Zero Trust seeks to reduce adversaries’ opportunities for lateral movement. A CISO can build a moat around the IT castle, but an enemy who devises a way to lower the drawbridge gets access to everything. Similarly, the cyberattacker who breaches a perimeter network defense can in many cases attain almost unfettered access to the network and its treasures, including data troves and computing resources.
Cyberattackers bypass defenses by employing a predictable cycle detailed in various attack frameworks, among them phishing attacks, spear phishing, cline phishing, whaling, pharming attacks that use social engineering techniques, vishing or voice phishing and others. Often, it begins with the end user. No amount of training will prevent employees from clicking a bad link or opening an attachment, of course. Expecting otherwise is another systemic flaw in the current defensive architecture.
In a Zero Trust model, there is no particular distinction between outside and an inside at the network layer. Rather, the security lens shifts from the perimeter to the application layer. In the conventional IT architecture, a trusted user can often gain broad access to network resources after crossing the threshold. With Zero Trust, even users who has been rigorously authenticated will have access to a limited set of tools and services.
Unlike in the binary world of conventional security – out there and in here – a Zero Trust model proposes security should have granular identification, intense authentication, and rigorous internal controls.
It’s not just the escalating cyber threat that should give IT pause and reason to consider a Zero Trust security model. As computing moves from corporate data centers to the cloud, and users are connecting remotely and via third-party tools, from public wi-fi networks around the world, the perimeter approach for defense creates inefficient traffic flows and faces limits in effectiveness.
The way users access networks has created a strong impetus for reimaging IT architecture and the apparatus of that access. With perimeter defenses no longer sufficient, Zero Trust security grants access only to valid users, at the application layer, enabling them to quickly, seamlessly and simply use only those applications to which they have authorized access instead of the entire network. It’s a powerful new concept and a significant leap in the evolution of cybersecurity.