A recent report produced for IBM put the average cost of a data breach at $3.86 million. The same report said that simply having a remote workforce added nearly $137,000 to the cost of data breach resolution. Those are big numbers. And, with today’s migration to a remote workforce, that should be plenty of motivation for those responsible for their organization’s data security to take notice.
This same migration has also accelerated cloud adoption to better support a distributed workforce and meet customer needs. That has opened new doors for cybercriminals, with 20% of companies in a recent study saying they faced a security breach as a result of a remote worker. And even using the cloud doesn’t mean you’re completely safe, as evidenced by the 630% increase in cloud-based attacks between January and April last year.
With users everywhere, multiple workloads running on servers and in the cloud, and all kinds of devices connecting to your network, it has become a huge challenge to ensure that your data is safe. Also, with cybercriminals becoming more and more sophisticated, the time has come to move away from traditional perimeter defenses.
What is zero trust?
Zero trust looks at security from the point of view where perimeters no longer exist. With remote workers using personal devices—and companies moving applications and services to a hybrid infrastructure or the cloud—your network perimeter can’t be clearly defined. That’s why the concept behind zero trust is that every device, and every user, must never be trusted and must always be verified.
But building a zero-trust model can be incredibly challenging, especially if you need it to integrate with legacy systems. That’s one reason many companies end up with zero trust only deployed in parts of their infrastructure—they lack the budget or expertise to migrate completely to zero trust. That leaves gaping holes that are vulnerable to attack. And, while it’s easier to take a zero-trust approach if you’re building a new infrastructure from scratch, it still isn’t easy to do with internal resources. That’s because zero trust is built on six layers of control, with each layer adding new challenges.
Zero trust: 6 layers of control
1. Identities
The zero-trust control plane comes into play when an identity—whether that’s a person, service, or device—tries to access a resource, verifying the identity of the access attempt, ensuring it is compliant and typical for that identity, and limiting it to least privilege access principles.
2. Devices
Data can flow to a variety of resources—from mobile phones to IoT devices to cloud-hosted servers—once an identity has been granted access, adding up to a massive, exposed attack surface. Zero trust secures access by those resources, monitoring and enforcing device health and compliance.
3. Applications and APIs
The interface used to consume data, applications, and APIs requires zero-trust controls that ensure appropriate in-app permissions, limit access, monitor for abnormal behaviors, and validate secure configuration options.
4. Data
Protecting data is always IT’s primary focus—even when that data leaves the devices, apps, infrastructure, and networks. So, it should always be encrypted, with zero trust limiting access based on how the data is classified and labeled.
5. Infrastructure
All of your infrastructure resources—servers, cloud-based VMs, and so on—face potential threats.
Zero trust assesses for version, configuration, and access to harden defenses, using telemetry to detect attacks and anomalies and automatically blocking and flagging risks and taking protective actions.
6. Networks
With all of your data accessed over a network infrastructure at some point, zero-trust networking controls improve visibility and help prevent attackers from moving laterally by segmenting networks, all while ensuring real-time threat protection, end-to-end encryption, monitoring, and analytics.
Zero trust equals more protection
With so many companies challenged by our new remote work reality and increasing cyber threats, zero trust is the logical next step in data protection. Zero trust tightens your security strategy by taking a granular approach to controlling and securing data and access and blocking any access attempts unless they are 100% verified.
Whether your workforce is on-site, remote, or a hybrid, zero trust makes sense. We need only refer you to the costs of a data breach we pointed out at the start of this post to make our point. Zero trust can minimize the chances that you’ll be successfully attacked and pay that high price in dollars and reputation.
Zero trust complexities
Most companies are already using zero-trust strategies in parts of their organization—typically data loss prevention, mobile device management (MDM), Security Information and Event Management (SIEM), multi-factor authentication (MFA), and network access. These companies may even be using network segmentation. But ultimately, implementing zero trust across all six layers we’ve described is a big, complex job that can take tons of time to manage across cross-functional teams.
That said, Forrester points out that the vast majority of organizations have a zero-trust initiative in progress. These are often aspirational attempts, but they illustrate that these organizations recognize how important it is to have a zero-trust strategy. But moving to zero trust doesn’t have to be complex.
So where do you start—or keep moving forward—on your zero-trust journey?
There’s no “right” answer as to where to begin. Deciding on a starting point should be based on your organization’s initial goals, existing capabilities, and ultimate strategy. Whether your organization is in the process of building a zero-trust strategy or it’s completely new to you, it can be a challenge to find skilled professionals, secure funding, and understand how to assess the many available technologies.
No single technology or platform can support a complete zero-trust model. That’s why it’s worth your while to choose a technology management partner who can help guide you on your way. That includes handling integration with analytics, identity, and endpoint tools, augmenting your team to deliver a successful trust-based access deployment, or managing your environment so no connection is trusted until it’s verified.
Thank you for trusting us to help with your cybersecurity needs. Contact us any time—we’re always happy to help.
Jon
