What is a Zero Trust Enterprise?
Businesses all over are digitally transforming their processes and systems. Internet-connected technologies and new working conditions, including remote and home working, have created opportunities for cybercriminals to exploit. The result is a heightened security risk.
The evidence that cybercriminals are winning the war of attrition against the enterprise is mounting: Risk-Based Security’s mid-year report for 2021 found that 18.8 billion data records were breached during the first 6-months of the year. Ransomware has soared in volume and damages; the biggest ransom to date appeared in 2021, with Acer being targeted with a $50 million ransomware attack. The enterprise door is open for the cybercriminal to walk in, but the Zero Trust Model approach to cybersecurity attack mitigation is helping to slam that door shut. However, this model must be deployed effectively to ensure an organization has a robust security posture that reflects a Zero Trust Enterprise. We’ve teamed up with Palo Alto Networks for a crash course on how a Zero Trust security model can propel your company’s cybersecurity approach.
What is the Zero Trust Model, and how does it fit enterprise needs?
“The days of managing implied trust by relying on a static, on-premises workforce are gone.” - Palo Alto Networks
Enterprises worldwide are looking to the security industry to help protect their people, assets, and data against insidious and sophisticated cyber-attacks. This has led to developing a strategic approach to cybersecurity risk that uses the notion of ‘trust’ to enforce security policies. In a Zero Trust Enterprise (ZTE), there is no longer reliance on the concept of ‘implicit trust.’ Instead, all digital interactions are validated every time any user or device attempts to access a corporate resource. This more proactive approach to cybersecurity fits perfectly with the modern unbounded, hyper-connected enterprise.
The boundaries of the enterprise were further stretched in 2020. One of the persistent outcomes of the pandemic has been the move to remote or hybrid working. This new work regime is set to continue, with Gartner predicting that over half of all knowledge workers and 31% of all workers worldwide will work remotely by the end of 2021, almost double the number in 2019. This remote or hybrid work environment is expected to continue.
Enterprises need to deliver anywhere, anytime, any device, access to corporate IT networks, printers, apps, and data. This situation demands a new way of controlling how this access is achieved, balancing security with optimal user experience. Implicit trust is broken and replaced with “never trust, always verify” in the Zero Trust Enterprise.
“Never trust, always verify”: the end of implicit trust
The first half of 2021 saw a 100+% increase in cyber-attacks targeting smart devices, with 1.5 billion attacks on IoT devices recorded. A Zero Trust approach is the answer to the rise in cyber-attacks associated with internet-connected devices through continuous monitoring and validation of every digital transaction using checkpoints such as the following:
- User location
- Source of connection
- Access method
By applying a Zero Trust Model to cybersecurity risk mitigation, security becomes intrinsic by design. It is ‘baked’ into every network, connection, and all endpoints, no matter where they are in the expanded enterprise network. By validating every access event, as it happens, and by assuming access events should never be implicitly trusted, these attacks can be stopped in their tracks.
But how does an enterprise achieve a Zero Trust stance?
The three components to deliver a Zero Trust Enterprise
"By taking a holistic, platform-based approach to Zero Trust, organizations can secure their digital transformation initiatives while enjoying increased levels of overall security and significant reductions in complexity." - Palo Alto Networks
Zero Trust is an ethos built upon a holistic process that makes use of robust measures and technologies. Three key elements are used in the zero trust journey:
Establish (your Zero Trust ecosystem baseline)
A single technology does not achieve zero Trust. Instead, it should be thought of as a different approach to cybersecurity. The approach of Zero Trust is to establish an ecosystem of processes and technologies that sync and solidify around a validation to process an access request. This ecosystem is composed of three pillars, where implicit trust is replaced by ‘never trust, always verify’:
Users: “least access” is the pivot upon which Zero Trust turns: only allow access on a need to have basis.
Applications: applications play an important part in a Zero Trust enterprise. Implicit trust must be removed from applications so that Zero Trust can be established.
Infrastructure: All infrastructure components from routers to IoT devices must have implicit trust removed to achieve Zero Trust.
Build (up to your Zero Trust stance)
After initiating the fundamentals of Zero Trust and understanding the three pillars of the enterprise Zero Trust ecosystem, you must establish where validation controls should be applied; this allows the Zero Trust Enterprise journey to move into the policy and build stage. Zero Trust policies should reflect the core validation requirements across your IT real estate. To begin your build stage, you can look at your existing security measures and solutions and then use them to implement Zero Trust across the three pillars: users, applications, and infrastructure.
Take this opportunity to educate the Zero Trust approach to non-technical executives in a concise, easy-to-understand way.
Enforce (your Zero Trust Enterprise)
Deploying the right technologies allows you to enforce your Zero Trust enterprise across the three pillars. These technologies include:
Robust authentication is used to authenticate and authorize transactions, verifying a request before granting access.
Technology suggestions: Enterprise IAM (Identity and Access Management) and Prisma Cloud
Verify and monitor
The continuous monitoring of infrastructure and applications is fundamental to establishing Zero Trust. Enterprise assets, such as laptops, servers, applications, etc., must be verified to establish integrity. For applications and cloud infrastructure, the requested device or microservices, storage or compute resources, partner, and third-party apps must be verified before granting access.
Technology suggestions: This aspect of a ZTE is fundamental but also a challenge to implement. However, an SOC (Security Operations Center) can provide the tools to monitor your infrastructure and applications continuously, looking for signs of anomalous or malicious intent. The underlying technology used to achieve this is known as User Endpoint Behavioral Analysis (UEBA). This provides threat hunting, anomaly detection, correlation rules in a SIEM, and more, to double-check the trust decisions that form the basis of a ZTEs.
Enforce least privilege
Post successful access, the principle of least privilege must be applied to further secure and control resources; in other words, only give access to what is needed and no more.
Technology suggestions: Enterprise IAM, Network Security Platform, e.g., Prisma Access
A Zero Trust game for the secure enterprise
Almost three-quarters of enterprises have already deployed or plan to deploy a Zero Trust model. These enterprises are driven to do so because of increasingly challenging cybersecurity threats. The 2021 Cost of a Data Breach Report provides evidence that using a Zero Trust approach is a forward step in managing these threats; a key finding from the report was that “A Zero Trust approach helped reduce the average cost of a data breach (by around 43%.).” By following the pathway to becoming a Zero Trust Enterprise, you can finally expect to meet and exceed the challenges of modern cybersecurity threats.