Sudip Banerjee from Zscaler explains how organisations can best employ a zero trust strategy in the modern work environment.
If you scan technology news websites or peruse industry research reports, there’s one topic that’s consistently being discussed: zero trust.
At its essence, zero trust is a holistic approach to IT security based on the principle that no user or application should be inherently trusted. It assumes that everything is hostile and only establishes trust based upon user identity and context.
It’s a security strategy that is growing in popularity because of how corporate IT infrastructures have evolved. Rather than existing within a walled perimeter, they extend outward to include remote workers and resources on hosted and public-cloud platforms. Put simply, it’s a security framework which enables users to access private applications securely, without connecting to the network on which they’re hosted, or exposing those applications to the internet.
Indeed, the trend of zero trust adoption has accelerated even further in the wake of the COVID-19 pandemic. This has been driven by the need for organisations to provide secure but flexible remote access for their staff.
The need is even more acute because it is highly likely that many people will continue to work from home for an extended period. Some companies will also adopt a ‘hybrid’ working pattern where employees can work from home two days a week and in the office for the remainder.
At the same time, there has also been an increase in attack surface exposures. Staff will almost certainly use a private Wi-Fi network to connect to work resources and will often do so using a personal notebook or desktop PC. Whether they like it or not, organisations have been forced into having a policy of ‘anytime, anywhere and any device’.
These changes are further evidence of the need for a zero trust strategy as it’s no longer possible to blindly trust that the people accessing corporate IT resources are authorised to be there. In many cases, the corporate network has become the public internet.
A new architecture
In this new world of work, a new IT architecture is required to ensure staff can have secure access to the resources they need, whether in a corporate data centre or on a cloud-based platform. This new architecture must have some core attributes, which include:
- A fully deployed zero trust strategy: Achieving each of these goals requires the deployment of zero trust. This acts as a shield and achieves the goal of keeping applications and data hidden from those who should not be accessing them. A cloud-based zero trust architecture is the best way to achieve this goal with a distributed workforce in place.
- Restricted accessibility: IT networks and resources need to be configured so that users never connect to the entire infrastructure, but only to the specific applications and data sources they need to fulfill their role. The marketing team does not need access to the financials server, while sales staff don’t need access to test and dev resources. This approach is known as having a policy of least-privilege access.
- Restricted visibility: The new architecture must also restrict visibility and restrict access to resources. Staff must only see the resources they have been authorised to use, while everything else is invisible. This adds a layer of security and makes it more difficult for attackers to see exactly what is in place.
One zero trust security strategy architecture gaining traction right now is Secure Access Service Edge (SASE) which has been designed from the ground up with the digital workplace in mind.
At its heart, SASE involves ensuring data traffic is fully secure throughout its journey, between a device and a destination application, regardless of where a user is located or the type of device they are using. It’s this focus on security for the journey, rather than the destination, that is critical and will benefit the new hybrid workforce which is well and truly here to stay and as the trend continues to gather pace.
Organisations in the year ahead will continue to embrace security technologies which enable employees to access applications, without opening the enterprise up to additional risk. This indeed will be a priority for organisations which value the integrity of their systems and data.
Chief information security officers are fast learning that the challenge of maintaining effective IT security is very different in this emerging post-pandemic world. In many cases, changes that would have taken years to achieve have been planned for and deployed in just months.
The time to embrace zero trust is now as it can provide the protection, flexibility and scalability required by organisations. Organisations that don’t adopt the new zero trust new normal will continue to put their employees and customers at risk. So begin your zero trust journey today.
Sudip Banerjee is the senior director – transformation strategy at Zscaler.