Zero Trust is a concept put forth by Forrester, a respected technology analyst firm that describes a new architecture for information security that is data-centric rather than focused on securing specific hardware and networks. It has gradually been gaining popularity in enterprise IT as more and more corporate data resides in/transits public clouds and the internet, where traditional perimeter defenses such as firewalls and anti-virus protection are less effective. However, up until 2019, it had largely been adopted by larger organizations that are far along in the cybersecurity maturity scale or by small, cloud-native startups who did not have a large investment in legacy security hardware and software like VPNs. Enter 2020 and the global pandemic, which changed everything, including how we look at network security and Zero Trust.
A Cybersecurity Sea Change
The COVID-19 virus and its rampage across the globe fundamentally changed many aspects of life and business, and cybersecurity was no different. When we had to send our employees to work from home for an extended period (which is still going on for many people), it forced us to re-engineer our remote access platforms and strategies on the fly. For most companies, what was a niche or a special use case for their networks and workstations became the primary use case. In many cases, the structures in place were inadequate, both from a performance and security standpoint. The attack surface for companies expanded exponentially and hackers predictably took advantage of that.
The COVID-19 crisis required a fundamental rethinking of how remote access was approached and some companies have taken this opportunity to take a deeper look at Zero Trust. The idea of work from anywhere, on any device, was radical for many traditionally architected networks. While VPNs may work decently well for traveling salespeople logging in from hotels with company laptops to get email, it is not sufficiently secure to support developers and administrators who may be working on highly sensitive data with privileged accounts. Zero Trust represents a way to do ‘micro’ authentications for very short periods of time or for specific pieces of work. It also places more emphasis and stronger controls on the sensitivity of the data and people using it rather than securing specific endpoints or trying to stop attackers at perimeters. Many of its elements fit the needs demanded by the new era of work from home as a norm, not an exception.
Zero Trust Must Continue to Evolve
While many of its tenets supply much-needed upgrades to the way we handle network security, there is still a lot to be improved. The Zero Trust framework is still fairly vague in terms of what specific technology is required and how to implement it. It has mostly been left up to technology vendors to determine what Zero Trust is. Consequently, it has become an industry buzzword that can mean many different things, depending on the vendor offering it. Google has tried to set a good example by publishing its implementation of Zero Trust, called “Beyond Corp. Two governmental bodies, NIST and the National Center for Cyber Security Excellence, have published a standard for Zero Trust, which will help enterprises set up Zero Trust in a way to be secure and compliant with government regulations.
Zero Trust also needs to expand its definition of data and the things that need to be protected. 2020 saw a greatly expanded use of video conferencing services which heretofore had mainly been used for sales and marketing teams. During the pandemic, companies ran their entire business on these platforms, which were not necessarily designed for that. Employee reviews, sensitive management and board meetings, and every department meeting was held on them. How do you secure streaming data, which may be ephemeral? Or worse yet, it might be cached or stored somewhere in the cloud, either by the company or by the vendor. It’s an issue that corporate IT has barely begun to recognize and could have all kinds of implications; security, privacy and legal. Zero Trust could be used to secure these critical data resources so they are secure in all their instances.
2020 was an incredibly difficult year for everyone and many lessons were learned about business continuity, incident response and security in general. Concepts like Zero Trust represent what we need to strive for in the new post-pandemic era to keep our networks and data secure. Hopefully it can evolve to face these new challenges and become more generally adopted among forward-thinking enterprises.