Identity is the new perimeter - we have been hearing this for a while but what does it really mean? Perimeter-based security approaches have become something of the past now that cloud computing and remote working are the norm for many organisations. The user being inside or outside the corporate network is no longer a fail-proof method of authentication (AuthN) and authorisation (AuthZ). Zero Trust is a concept built around the idea of assuming an omnipresence of threats inside and outside the network and hence every identity is authenticated and authorised through adaptive control measures and policies.
Avoid Being Tomorrow’s Ransomware Headline
There are new cyber-attacks every day now (Colonial Pipeline and the Irish healthcare system, to name a couple of recent features), as threats become more sophisticated and pervasive and businesses are not taking the initiative to change their security. It falls to the question of how to change, especially with so many (expensive) divergent routes to strengthen security measures.
Zero Trust is perhaps a misleading term. Focussing on the lack of trust takes away from what the benefit of Zero Trust is: establishing not only who the user is, but also the context in which they want to access the data. This can mean verifying the tools or device they are using and how secure they are, and whether they are authorised to access the data. “Forever AuthN/Z” may have been a more constructive name but maybe not so catchy…
A Migration Journey Not An Overnight Switch
Achieving Zero Trust for your organisation is a journey rather than a destination, but a journey that you should embark as part of your risk management strategy to avoid being the next organisation hitting the headlines. Zero Trust is not the same as Identity and Access Management (although it has a part to play) and is not a turnkey solution: you cannot buy it and there are several building blocks, including:
- Strong authentication
Passwords are not sufficient in this ever-evolving threat landscape. There is a reason why Google is enabling two-factor authentication by default for all its users, and why other organisations will follow suit.
- Context-dependent authorisation policies
Adaptive authentication takes contextual factors into account when verifying a user’s identity, such as location and device, minimising the risk of unauthorised access.
- Data analysis
Consistent analysis of user behaviour and identity-related information enables an organisation to generate a real-time risk score that can trigger alerts and inform downstream systems.
From Stumbling Blocks to Building Blocks
As with traditional IAM, you need to understand the challenges that will take place for everyone in the organisation to ensure adaptability and scalability for the solutions and policies in place. Here are three core challenges of Zero Trust that organisations commonly face:
- Legacy infrastructure often poses an obstacle to Zero Trust journeys, as upgrading to allow for a defence-in-depth approach is either impossible or costly for some systems. For example, it is estimated that over £2 trillion passes through legacy banking systems every day. These systems often do not allow for the dynamic verification inherent to Zero Trust Architectures.
- The evolving digital workforce presents a key challenge for Zero Trust: different kinds of users, devices, applications, and ways to access data make it harder to ensure continuous control. Cloud migration, for example, adds a layer of complexity with the logistics of managing access control for hybrid environments. Partnering with a team of experts is often the best time-to-value method for Zero Trust migration.
- Everyone in the organisation will be affected by access control policies. This does not have to mean blocked workflows and employees locked out of files. Policies can be good or bad. Ensuring effective communication, education and feedback across all users during the implementation of any stages along the Zero Trust migration is the easiest way to avoid impacting business performance.
The challenges of Zero Trust exist primarily as a result of the ever-changing digital landscape and ubiquity of threats. This is hence also why the Zero Trust model is increasingly prevalent and favourable for modern enterprises. For more information about Zero Trust and to start a conversation with one of our expert team about your organisation, get in touch today by filling in our contact form and let us help you build a realistic Zero Trust maturity model for your journey. A member of our team will respond to you as soon as possible.