Digital transformation has fundamentally changed the way we communicate and how modern businesses operate. Employees went mobile-first and began using their own devices for both personal communication and work purposes, which meant accessing critical business applications and data over the public internet. Simultaneously, sensitive business data has become more distributed, residing outside the corporate perimeter in SaaS applications such as Microsoft 365 and private applications in AWS, Azure, and Google Cloud platforms.
The process of digital transformation improves business agility and information flow, but dramatically expands the attack surface and exposes organizations to new threats. This has created an escalating need to rethink traditional firewall-based network security in favor of a zero trust architecture designed for the cloud. But in the last few years, the definition of zero trust has become muddled, causing a great deal of confusion for enterprises, and as a result, inhibiting its implementation.
What is zero trust anyway?
While the concept of zero trust has existed in the cybersecurity industry for more than a decade, it is not simply a single technology like identity, remote access, or network segmentation. Zero trust is a holistic approach to securing modern organizations, based on least-privileged access and the principle that no user or application should be inherently trusted. It begins with the assumption that everything is hostile, and only establishes trust based upon user authentication and context, with business policy serving as the gatekeeper every step of the way. At its heart, a zero trust security platform is guided by three key tenets:
- Connectivity based on identity and policy based on context
- Making applications invisible
- Using a proxy-based architecture to connect to apps and inspect traffic
Connectivity based on identity and policy based on context
Traditional VPNs and firewalls put users on the network for application access. Once on the network, the inherent trust granted to the user increases the risk of lateral movement by threats or would-be attackers. Conversely, zero trust uses context-based identity authentication, and policy verification to securely connect authorized users to only specific sanctioned applications, without ever putting users on the corporate network. This prevents lateral movement and reduces business risk. And because network resources never need to be exposed to the internet, organizations can protect against ransomware, DDoS, and targeted attacks.
Make applications invisible
Migration of applications to the cloud greatly expands an organization’s attack surface. Traditional firewalls publish apps on the internet, which means they can be discovered easily by users and hackers. A zero trust approach avoids exposing the corporate network to the internet by concealing source identities and obfuscating IP addresses. Making apps invisible to adversaries and accessible only by authorized users reduces attack surface and ensures access to applications—on the internet, in SaaS, or in public or private clouds—is secure.
Proxy-based architecture to connect to apps and inspect traffic
Next-generation firewalls struggle to inspect encrypted traffic without impacting performance. This often forces organizations to choose between availability and security, and often, availability wins. As a result, organizations frequently choose to bypass the inspection of encrypted traffic, which puts them at a greater risk of cybersecurity threats and data loss. Furthermore, firewalls use a “passthrough” approach, allowing unknown content to reach its destination before any analysis is complete. If a threat is detected, an alert is sent, but it may be too late to prevent the threat.
Instead, effective threat protection and comprehensive data loss prevention requires a proxy architecture designed to inspect SSL sessions, analyze the content within transactions, and make real-time policy and security decisions before allowing traffic to move on to its destination. And it needs to do all of this at scale without impacting performance, no matter where users connect.
The successful adoption of zero trust starts with the right platform based on the aforementioned tenets, but it is also dependent on developing new skills and embracing a new cultural mindset. From the IT leaders who need to transform quickly and safely, to the IT practitioners on the ground implementing zero trust, everyone from the executive team to end users and the extended ecosystem must be included to ensure a successful zero trust journey.
Start modernizing your approach to IT security. Discover more about zero trust.