In a business world that is facing an ever-increasing and intensifying threat landscape, enterprises must re-evaluate their current security perimeter approach. The old mantra of verify = trusted has proven again and again to be inadequate. Traditional perimeter-based approaches aren’t effective when applied to modern workloads and topologies. It’s time to consider a zero-trust security model.
While traditional perimeter-based security models have served Enterprises well in the past, they are increasingly losing their effectiveness when applied to modern workloads and topologies. As applications shift out of the data center and into the cloud, and employees, partners, and contractors shift from dedicated offices to remote access in homes and coffee houses, the perimeter itself is dissolving.
“If you’re applying the same 40-year-old concept of the network perimeter against the threats we face today, breaches are going to happen,” says Akamai CTO Charlie Gero. According to Gero, there is a need to rethink the concept of the enterprise network and the idea of trust to secure and accelerate businesses.
Traditional VPNs are being stretched beyond their initial purpose to desperately try to hold together the remnants of an increasingly obsolete network architecture. And no one knows that better than the threat actors who are exploiting weaknesses in traditional security perimeters that simply weren’t designed for this.
What is zero trust?
Zero trust is a network architecture and security model which was designed by former Forrester analyst John Kindervarg. The concept focuses on a few key points, including recognizing that there is no distinction between anything that is external or internal.
Never Trust, Always Verify
There should be exactly that; zero trust and only deliver or data to authenticated and users or devices. There must also be verification through logging and behavioural analytics.
Implementing zero trust
Although the principle is sound, to date there have been no firm definition of zero trust. The concept serves as a guiding principle and it is recognized that some applications simply cannot be changed. Realistically, the more apps which your business uses, the more changes will be needed.
However, the guiding principle also states that changes should be achieved with as little or no change to application code as possible.
Zero trust is used to gain visibility and context for all traffic and thus needs to go through a next-generation firewall with decryption capabilities. This firewall enables micro-segmentation of perimeters, sort of like building fences within your own compound.
I use the term fence because while the security is necessary, so is the visibility to verify traffic as it moves around. Verification can also be enhanced by protocols such as two factor authentication and other methods.
While all of this may sound impossible, Google has already attempted so with BeyondCorp.
Secure freedom for Google employees
BeyondCorp is something that has been undergoing development at Google for the past six years and combines best-of-breed ideas and practices from the community. By shifting access controls from the network perimeter to individual devices and users, BeyondCorp allows employees to work more securely from any location without the need for a traditional VPN.
Today, BeyondCorp is used by most Google employees every day, to provide user and device based authentication and authorization for Google’s core infrastructure.
At the end of the day, always remember that savvy organizations must not only maintain high security levels but also upkeep a rigorous employee education program. The programme should include comprehensive training on endpoint and social network usage, among other things.