The traditional approach to IT security has always been about building walls. Core data and applications have been housed in data centres and protected by a secure perimeter comprising firewalls and other filters.
Inside the business, access to systems has been restricted by requiring usernames and passwords. In this way, staff can be provided with permissions to use the resources they need to fulfil their roles.
However, there’s now a growing realisation within many organisations that this tried and tested approach is no longer working. The growing use of cloud platforms and the proliferation of mobile devices means that the concept of a protective wall is outdated.
Staff can require access to data and applications from almost any location. Partners, suppliers and customers need access to systems to place and process orders. The IT department wants to take more advantage of cloud-based applications and services to improve flexibility and lower operational costs. Clearly, a new approach to security is required.
The concept of zero trust
Taking a zero trust approach to IT security requires a significant mindset shift. Rather than trying to keep the corporate network secure from threats, it’s assumed to be always hostile because both internal and external threats could be present at all times.
Once this perspective is taken, the controls put in place to restrict access are shifted from the perimeter to individual devices and the people using them. Rather than needed to sit in a corporate datacentre, applications and data stores can then happily live anywhere and be made accessible through a user and device-centric authentication and authorisation system.
Shifting to a zero trust strategy makes having a robust security architecture a much easier thing to achieve. It puts the user of data, whether that’s a human or a device, at the centre of the model. End-to-end encryption is then used so the data can never be accessed by anyone who doesn’t have the encryption key.
Zero trust doesn’t mean no trust
While the concept of zero trust revolves around the concept that no one on the network can be trusted, in reality there has to be trust at one point in the process: identity verification. You need to be confident that the parties that are granted access to applications and data stores are actually who they say they are.
Many organisations are meeting this requirement through the introduction of multi-factor authentication. This approach bolsters traditional usernames and passwords with a token that can’t be spoofed or replicated. This could be a USB key that must be inserted into a device during the log-in process or a pin code that is sent to a trusted external device such as a mobile phone. Other alternatives include apps that generate one-time codes that must be entered within a certain period of time.
The benefits of adopting a zero trust approach to IT security are many and varied. One of the largest is that it allows an organisation to take advantage of the full range of deployment options for its infrastructure. Applications and data can be stored on cloud platforms and accessed by users with mobile devices without the need for any traffic to traverse the corporate network or datacentre.
This, in turn, significantly increases business agility. Rather than being tied to deploying and maintaining IT infrastructure in-house to ensure security, full use can be made of cloud services and the public internet.
Then there are cost savings to be enjoyed. Licences for VPN services and other perimeter tools can be reduced while cloud services can be selected on the basis of cost. Overall complexity of the security infrastructure can be reduced.
Finally, workforce productivity will improve through the standardisation of access control across all resources. Users will be able to access the resources they need on the device of their choice from wherever they are working.
Intelligent authorisation is key
Underpinning a zero trust security infrastructure is the concept of intelligent authentication. This is the system required to manage the multiple factors users will need to prove their identity.
Typically authorisation will require three things. These are something the user ‘knows’ such as a password, something they ‘have’ such as a mobile phone, and something they ‘are’ such as a fingerprint. Different activities may require different levels of authentication.
As well as managing these identity credentials, an identity management system must also have the capability to continually gather data and monitor usage in order to verify users and manage access levels as dictated by the organisation’s rules. Once this is in place, applications and data stores will remain secure with only authorised parties having access.
There’s no question that use of mobile devices and cloud platforms will continue to increase. By taking the steps now to implement a zero trust security framework, organisations can be confident their IT resources will remain secure at all times.