The past 18 months have served to accelerate changes that were already underway in enterprises. These include the trend for collaboration in business and the adoption of widespread remote working models. Both of these have significantly impacted trust in the secure access systems previously used to prevent and mitigate the damage caused by cyber-attacks.
When you also factor in the continued rise of cloud, IoT, and mobile, it becomes evident that traditional network parameters have extended far beyond what they once were. The idea of protecting the network parameter has become somewhat redundant, and new approaches have emerged as a more effective way of protecting digitally transformed organizations.
One of those approaches is the zero-trust security model. Recent research revealed that 44% of enterprises were considering a zero-trust network access/software-defined perimeter to keep the organization secure. What exactly is a zero-trust approach to security, and is it time for you to consider it?
What is zero-trust cybersecurity?
A common misconception about a zero-trust approach to cybersecurity is that people – especially employees – think it means that the organization doesn't trust anything, including them. But that’s not the case at all.
Zero-trust is a change in approach from the tried and tested methods of cybersecurity. Traditionally, organizations mainly focused on defending their perimeters, assuming that everything within those walls was not a viable threat. That was probably misguided at the time but feels even more so in the current cybersecurity environment.
Zero-trust addresses this by assuming there is no network edge, certainly not in the way there had been previously. The network edge can be anywhere, as with the explosion in the cloud and the Internet of Things (IoT) and the recent spike in remote working because of the pandemic, making it hard to find the network edge and even harder to protect.
Zero-trust is a framework that requires each and every user to be authenticated, authorized, and validated before they are given access to applications, systems, and data. Any organization striving for digital transformation – and that should be most of them – understands that almost everything is external and should be considered a potential threat until proven otherwise.
An inevitable shift towards zero-trust?
The notion of zero-trust has caught the attention of many organizations over the past few years. Noticing both the shift in working patterns and the emergence of technologies that make the concept of a network edge redundant, zero-trust has become an attractive proposition.
As part of a broader look at cybersecurity, in May 2021, the Biden administration launched a 30-page Executive Order on Improving the Nation’s Cybersecurity. It covered many issues around cybersecurity, but an essential element was the need for government agencies to adopt zero-trust architectures. Agencies were given 60 days to prioritize the adoption of cloud technology and develop a plan to implement zero-trust architecture.
This was a popular decision. Zero-trust offers more robust security but also does not require significant CapEx to get started. Yet, not everyone is happy with this approach. While a recent UK poll with senior IT security decision-makers found 98% have either already implemented zero-trust principles or are planning to do so, around one-third of respondents were concerned their employees thought the company didn’t trust them.
Any cybersecurity program requires active participation and engagement from employees, otherwise, it will run into difficulties. We have always stressed the importance of people, processes, and technology working together when approaching cybersecurity, and it is no different with zero-trust.
Zero-trust must mean zero interruption to business
One of the potential drawbacks of a zero-trust approach to cybersecurity is that it adds extra security layers to workflows. While this improves cybersecurity, interrupting the flow of the collaboration and information exchange that is such an intrinsic element of modern business risks antagonizing users and jeopardizing the whole approach.
A cybersecurity strategy will only work by supporting the nature of what an organization does. Otherwise, it becomes a barrier. That’s why Clearswift’s email security solutions have proved so effective. They use Advanced Threat Protection (ATP) and Data Loss Prevention (DLP) to prevent phishing attacks, block ransomware, encrypt data in transit, and provide a deep and multi-layered protection.
This is all achieved without a single interruption to the flow of email communication, and day-to-day business continues as it should. Any malicious code is removed, and URLs disabled in emails and attachments before they even arrive, greatly reducing the volume of threats entering the organization.
Data understanding at the heart of zero-trust
Any zero-trust approach must bear this in mind – cybersecurity can never get in the way of business operations. One of the most critical aspects of zero-trust is a far greater understanding of the data residing in an organization. In an era when data protection has never been so prominent, any business requires a mature data identification and classification framework.
This should include every detail about an organization’s sensitive data – what is it exactly, who created it, who has access to it, where it stands with intellectual property, where is it stored, and who can share it?
HelpSystems DLP, as part of the HelpSystems Data Security Suite, can provide this level of detail and much more besides. It protects data from both external and internal threats via a combination of data classification to identify and prioritize the data that needs protecting, advanced Data Loss Prevention to remove sensitive data from emails and documents, Managed File Transfer to securely share data, and Digital Rights Management to ensure that even if data is stolen, it cannot be opened without the right credentials.
Together, these integrated solutions provide visibility, control, and protection of sensitive data. They can also provide a platform for an effective zero-trust approach.