How To Make Zero-Trust a Reality
Companies embarking on their zero-trust journey (or looking to accelerate it) should begin with two key pillars: Zero-trust network access (ZTNA) and zero-trust segmentation (ZTS).
By now, it’s widely accepted that zero-trust is the security framework of the future. It is the best way to make your organization resilient to inevitable breaches and ransomware attacks. We know scores of companies (nine out of 10, according to Enterprise Strategy Group) have begun migrating to a zero-trust model. What’s less clear is why many are progressing so slowly on their zero-trust journeys.
According to a study conducted by Forrester last year, only 36% of organizations have started to deploy zero-trust solutions, and just 6% of them have fully implemented their zero-trust plans. While the industry accepts that breaches are inevitable and that we need zero-trust architecture to reduce our risk of cyberattacks, it’s taken time to implement this change in strategy.
It’s no wonder some managers miss the mark when building out their zero-trust strategy–too much inaccurate information and confusion still surrounds the model. Too many vendors, hoping to jump on the bandwagon, put the zero-trust label on any and every product, leaving security teams grappling with technologies that are only semi-suitable to address their risks.
IT and security managers wondering where to start (or restart) their zero-trust strategies should focus first on minimizing implicit access and segmenting the most critical parts of the business away from high-traffic or vulnerable areas. This is where ZTNA and ZTS come in; they can dramatically limit the impact breaches have on your organization.
Zero-Trust Network Access is no VPN
ZTNA and ZTS are based on bedrock zero-trust principles: Least privilege and assume breach. When combined, they secure enterprise networks and prevent breaches from spreading across hybrid applications and infrastructures.
Though often compared to virtual private networks (VPNs), ZTNA differs dramatically. Introduced more than 30 years ago, VPNs were designed to act as encrypted digital pipelines that enabled remote access between client devices and corporate networks. At one time, VPNs were the trusted go-to solution for secure remote access. More recently, attackers have exploited their weaknesses with regularity.
In contrast to VPNs, ZTNA enables remote access to only specific data, services and applications dictated by clearly defined access-control policies. With ZTNA, a threat actor’s ability to roam freely across a network in search of sensitive information is minimized.
Also, ZTNA systems don’t depend solely on security credentials to verify identities. First, they deny access permissions by default (think: Least privilege). Then, they authorize users based on time, device, location and other configurable parameters. Access is granted on a pre-approved and need-to-know basis–but never implicitly given. With nearly every industry today managing scads of remote-working employees, ZTNA has become one vital tool for minimizing organizational risk.
Zero-Trust Segmentation Creates Resilience
It’s important to remember that ZTNA is an important piece of a zero-trust architecture, but your plan is incomplete—and your organization is not thoroughly secure—without ZTS. The two approaches combined form the kind of coverage that provides significant reach and protection.
In today’s data-driven, hyper-connected world, assets are located across sprawling hybrid environments. Security measures built for an age when most companies stored information within physical data centers are no longer relevant in the era of cloud computing and containers.
Firewalls alone have proven ineffective at preventing ransomware attacks from happening. Prevention alone is no longer a viable security strategy. Breaches are so common now that it’s irrational to believe they can’t or won’t happen to anyone.
According to an ESG survey of 1,000 IT professionals globally, 76% of respondents experienced a ransomware attack over the past two years. Two-thirds were hit by at least one supply chain attack, and just over half (52%) indicated that a cyberattack is likely to result in disaster for their organization.
The only responsible mindset is to assume breaches will occur. It’s no longer a question of if, but when. ZTS proactively halts the spread of breaches, ensuring that everyday incidents cannot become full-fledged business disasters.
ESG’s survey found that organizations using ZTS were 2.1 times more likely to have avoided a critical outage during an attack over the last 24 months, saved $20.1M in annual downtime costs and averted five cybersecurity disasters annually. While it’s clear we cannot, as an industry, prevent breaches from happening altogether, we can dramatically minimize the risk breaches pose to business and operations.
ZTS is designed to continually visualize how workloads and devices communicate—isolating compromised systems during an attack and restricting intruders from moving around a network. Not only does this prevent threat actors from snatching critical information, but it also limits the spread of ransomware. As cloud environments grow increasingly distributed, segmentation is vital in fueling resilience as businesses scale.
ZTNA + ZTS = ROI
A slumping economic climate will require companies to invest their security dollars carefully to ensure return on investment (ROI). With the attack surface continuously evolving, ZNTA and ZTS are some of the industry’s best practices for building resilience, and this zero-trust strategy delivers meaningful ROI for security spend. In the face of inevitable breaches, this combination can keep your most critical assets secure and your organization operational.
