With millions of employees across the United States trying remote work for the first time, many organizations have begun to re-examine the zero trust security strategy. The convergence of trends and technologies, coupled with the new understanding of the risks brought by relying solely on perimeter defense for security protection, means that the time is ripe for zero trust to become mainstream.
Traditionally, IT security is based on a perimeter defense model, such as the castle surrounded by moats in the Middle Ages, or cities built with walls. The purpose of this concept is to keep intruders out of the shared space, while assuming that those inside the walls are trustworthy and can roam freely (more or less) inside.
Due to the massive increase in the number of interconnected devices that must be accommodated in the current network, perimeter security strategies have been in a困境 for many years. Some recent events have further highlighted the limitations of perimeter defense, as the IT department has found it exceptionally difficult to deal with the sudden increase in remote workers who are using home computers not controlled by IT for the first time to access the network.
Distrust anyone
Zero TrustAssuming that no one can be trusted颠覆了传统的网络安全。Although it sounds somewhat harsh, if it can be achieved, everyone's work will become easier.
It is not easy to achieve this. For 'zero trust' to work, adopters need to make a commitment throughout the organization. They need to classify all IT and data assets and assign access permissions based on roles. In this process, they need to lock down some common vulnerabilities.For example, it is absolutely forbiddenWeb Servers directly communicate with otherWeb Server communication, and only through designated ports can communicate with application servers.
Data also needs to be classified. Some information, such as the company team's schedule for baseball time, may not require any protection at all. Business secrets and other proprietary data require multi-factor authentication for restricted user categories.
It is necessary to segment the network to prevent lateral movement, which has long been the culprit of large-scale data breaches. When workloads move between virtual machines and cloud servers, they must be isolated and protected. Until recently, managing such an environment has always been a daunting task, but the situation is changing.
Zero trust examples
The first important development is that multi-factor authentication (MFA) has finally become mainstream: Data disclosed by LastPass shows that the business adoption rate last year increased to 57% (up from 45% the previous year). MFA uses secondary and even tertiary authentication, covering a range from hardware devices to SMS codes sent to mobile phones. Although it is not yet perfect, it is a huge improvement compared to the basic password security mechanism that has long been ineffective.
An important technological development is the maturity of software-defined networking (SDN), where network management shifts from physical firewalls and switches to software. In SDN networks, since segmentation is defined by software and managed by policies, it is much easier to implement network segmentation. A recent survey by Verizon found that 57% of organizations hope to implement SDN within two years, while only 15% of organizations currently hope to adopt SDN.
The third important development is a robust identity and access management (IAM) system. These software platforms are typically delivered as a service, creating unified identities that are propagated across the entire enterprise network and cloud applications. IAM enforces the authentication policies defined by the organization. Users can access most applications with a single login, without needing to track multiple usernames and passwords.
Zero trust cannot be achieved overnight
Zero trust is not easy to implement. The ideas mentioned above can help your organization move in the right direction, but if you cannot innovate your strategy within a month or even a quarter, do not challenge your own limits. Silicon Angle reported that Lexmark took two years to fully innovate its network serving 8,500 users around the zero trust principle.
This process requires categorizing all the company's data and IT assets and also closing some vulnerabilities, such as default management permissions on personal computers. Chief Information Security Officer (CISO) Bryan Willett spent a lot of time explaining this decision to skeptical users, but the end result was worth it. Now, they can access the required data more easily, and the company's security preparedness score evaluated by third-party service providers has also greatly improved.
The zero trust model will make organizations more at ease when preparing for potential business disruptions.
Author's Introduction
Paul Gillin
Gillin + Laberis Partners
Paul Gillin has written 5 books and over 300 articles on social and digital marketing topics and is currently a full-time columnist for Biznology.com.
评论已关闭