As the COVID-19 vaccine continues to roll out across the country, we anticipate offices will slowly reopen in the coming months. However, the pandemic proved that a work-from-home model can be valuable for a lot of businesses, and we expect that some form of a flexible hybrid working environment will continue for most. While this is a huge step forward in terms of providing more work-life balance for employees, it also amplifies the need for a tighter, flexible security strategy for businesses moving forward. That is why many organizations are turning to a zero-trust architecture.
Zero trust is a best-in-class security approach. As the name implies, zero trust infers that organizations cannot automatically trust anything inside or outside its perimeters and instead must verify everything that tries to connect to its systems before being granted access.
Let’s take a closer look at how zero trust gets out in front of today’s threat landscape, some of the challenges of implementing zero trust, and the first steps partners can take to help their customers deploy a zero-trust architecture.
Zero trust supports an evolving threat landscape
With zero trust, every interaction with a business’ infrastructure is treated as its own internet connection. This means, security is focused on who is accessing the environment, rather than the devices being used.
In a zero-trust model, a user’s personal identity has dual purposes. Not only does it act as the most important credential for users to access the network through user authentication, but it is also the network’s most important security measure. Everything within a corporate network becomes gated based on a user’s personal authentication and the strength of that credential. It also takes other measures into consideration, like the safety of the network from which they are accessing – for example, a public Wi-Fi network at the airport vs. a private home office network.
This approach stacks up strongly against today’s sophisticated threat landscape, which has evolved in line with today’s remote work environment. We are seeing attacks aimed at vulnerabilities in firewalls and VPN infrastructure because attackers know they are weak links, perfect for gathering and compromising devices that can later be leveraged for further penetration and attacks. By putting more weight on user authentication, zero trust can replace traditional perimeter security by making each user’s identity the new perimeter. Reinforcing user authentication as the last, best line of defense eliminates the effectiveness of attacks aimed at firewalls and VPN connections and highlights the need to focus on authentication strength, as well as reassessing what assets users have access to on a network.
Challenges to overcome
Organizations that have already migrated to cloud-based applications will likely see a smooth transition to zero trust, as the switch from traditional firewall connections to many-to-many authentication is seen as merely a bump in the road. But many companies have not done this type of cloud migration yet, and it can feel like a big undertaking.
We’re finding that one of the biggest challenges for implementing zero trust is in changing the mindsets of legacy-oriented executives, especially within specific industries. IT teams at companies in tech-first industries like finance, may better understand the advantages of zero trust since they have embraced cloud technologies for a while. But for IT professionals in areas like manufacturing that have not seen the need to evolve their tech stack, education and awareness will be a big piece of their puzzle. Transitioning to zero trust can mean massive disruptions for a business and in many cases will require support from partners that can help them navigate these transitions successfully.
Zero Trust is not a “set it and forget it” strategy. It’s a multi-phase journey that starts with improving visibility and a clear, strategic plan to incorporate the right technologies. Partners can support their customers in transitioning to a zero-trust model by starting with three key steps:
- Helping their customers apply cloud-based two-factor authentication.
- Working with customers to identify all corporate network resources and creating strictly defined access control lists, both static and dynamic, for those resources, to avoid being too liberal with access for users who don’t need it.
- Providing customers with the right tool sets to enable many-to-many connections (rather than a single connection through a firewall) and utilizing a solution, like Sophos Zero Trust Network Access, that manages authorizations for those connections.
If done right, the end user should not notice much difference compared to authenticating via VPN. New authentication credentials may be required, such as corporate credentials or two-factor authentication, but that should simply take the place of how the user is authenticating already.
The time is now
The move to a more hybrid working model may have accelerated the need for zero trust security, but the truth is this has been a long time coming. Rather than continuing to force employees through vulnerable firewall and VPN connections, partners must help businesses double down on flexibility in their security, too. That’s what zero trust helps them do.