Why organisations need a zero trust approach to cybersecurity and why it’s a big opportunity for your business.
There was a time, not so long ago, when a CEO could sit behind their organisation’s firewall and feel confident that their network and business were safe and secure. Alas, those days are gone. The “castle and moat” approach to security no longer works. With the growth of the mobile workforce, employees working in the cloud, and the Internet of Things, the enterprise perimeter has moved out to the internet. Points of access and endpoints have proliferated, making security breaches easier. And attacks are becoming more costly.
Businesses are losing $ trillions
- Cybercrime will cost the world $6 trillion per year by 2021, up from $3 trillion in 2015, according to Cybersecurity Ventures’ 2017 Annual Cybercrime Report
- 80% of security breaches involve privileged credential access, says a Forrester study
- Globally, the average cost of a data breach is $3.62 million, claims the 2017 Data Breach Study conducted by the Ponemon Institute and sponsored by IBM
The way forward: zero trust
Back in 2010, a principal analyst at Forrester Research Inc named John Kindervag realised that the traditional security model wasn’t sustainable. He called for a new approach – one where no one and nothing could connect to an organisation’s systems until they could be verified. In other words, you shouldn’t trust anyone – not even if they’re inside your perimeter. He coined a name for this: the Zero Trust Network, or Zero Trust Architecture.
The idea caught on. By 2014, Google was adopting a zero trust strategy, and its CIO Ben Fried was recommending that other enterprises do likewise.
The same year, the Wall Street Journal said: “The wave of the future is building or adopting enterprise infrastructure that is essentially ‘zero trust.’”
Today, John Kindervag is Field CTO at one of our vendor partners, Palo Alto Networks, where he continues to promote zero trust. He says trust represents a vulnerability for digital systems:
“[. . .] no person—as abstracted by a [data] packet—or device can be trusted. Tossing a barrage of best-of-breed point solutions at the problem ultimately increases the risk, because it creates more gaps and more vulnerabilities, while at the same time greatly increasing operational complexity, which, of course, also massively increases risk. Zero Trust is a concept that will gain traction and become the norm within the cybersecurity arena. It represents the future of enterprise security.”
The opportunity for your business
In January 2018, Chase Cunningham, a principal analyst at Forrester said: “If I have 20 calls, 17 are about zero trust. CISOs, CIOs and CEOs are all interested, and companies of various sizes are interested.”
Gartner says, “ [. . .] implementing zero-trust networking can be an effective way to tackle [cyber and ransomware] threats.”
And our vendor partner Symantec reports an increase in projects at key customers of theirs that are aligned with a zero trust ecosystem approach.
So it’s not surprising that Gartner forecasts worldwide spending on information security products to grow in 2019 by 8.7 per cent over this year to $124 billion. The signs all point to zero trust security being a big opportunity.
Zero trust for your clients
To effectively deal with today’s and tomorrow’s threats, and ensure uninterrupted growth, business leaders need to change their thinking. They must now address security at a granular level, with their firewall closer to the asset they’re trying to protect. As Symantec says: “The perimeter is dead: Long live the micro perimeter.”
More specifically, businesses need to:
- Make sure all data and resources are accessed securely, based on user and location
- Adopt a least-privileged access strategy and strictly enforce access control
- “Always verify,” inspecting and logging all traffic
- Add more authentication methods to counter credential based attacks
Zero trust is about your customers controlling who and what connects to their organisation, and when and where those people or things connect. To do this, they’ll need Next-Gen Access tools that secure applications, devices, endpoints and infrastructure. These tools enable them to fend off a wide range of cyber threats.
When to implement zero trust
A zero trust strategy can be implemented as part of an enterprise’s digital transformation. Three of the best situations for adopting this new approach are:
- When phasing out a VPN
- When an organisation is giving partners third-party access to internal applications
- In the event of a merger, acquisition or divestiture
If you want to find out more about how to secure your customers and your profits with zero trust, speak to us.