Zero-trust architecture: Why trusting no one is a smart way to protect your IT infrastructure
The cybersecurity landscape is becoming increasingly difficult to navigate. Not only are cyberattacks rapidly rising in frequency, but their caliber is also improving as cybercriminals become more sophisticated in their methods. It's becoming extremely clear that a new security model is needed. This is where zero trust comes into play.
[ Check out this guide to boosting hybrid cloud security and protecting your business. ]
Put simply, adopting a zero-trust approach to security means trusting no one. It requires all users—whether they're inside or outside a company's network—to be authenticated, authorized, and continuously verified before being granted access to the asset or file.
Why zero trust is gaining pace
It seems like security vendors in every market niche are positioning their products as delivering zero trust in some way. It's rapidly growing in popularity, largely because it arms organizations with a more comprehensive approach to IT security and network defenses by allowing them to restrict access controls to networks, applications, and environments without sacrificing performance and user experience.
More and more businesses are transitioning to a hybrid working model—74% of U.S. companies are using it or plan to permanently allow their staff to work both remotely and on-premises. This gives organizations a host of new challenges, particularly when it comes to cybersecurity, making it crucial for organizations to reevaluate their approach to cybersecurity. They must develop a strategy that meets the needs of this new landscape. Adopting a zero-trust model is quickly becoming the way forward for businesses across many sectors.
[ Foster innovation and keep your teams unified. Download The IT executive's guide to building open teams. ]
The dramatic rise in cyberattacks has led the conversation around zero trust to rapidly gain pace. However, it's not just due to the frequency of attacks, but also the variety of methods.
Insider threats, which originate inside an organization's network, are on the rise. Research suggests that between 2018 and 2020, there was a 47% increase in the frequency of incidents involving insider threats and that insiders are responsible for around 22% of security incidents.
Insider threats can be a product of malicious behavior or unintentional human error. The insider can be a current or former employee, a consultant, or a third party. In some cases, the actors don't even know they’re doing it. A breach can stem from something as innocent as bringing an infected device or document into the network or sharing sensitive information with insecure personal accounts. This factor has likely increased due to the rise in hybrid work.
[ Also read Zero-trust security: What architects need to know. ]
The growth of zero-trust approaches is unsurprising given its ability to counter insider threats by rethinking the data security model to protect all data and applications at all times. A zero-trust approach allows businesses to continually detect and verify threats, and therefore stop them before an intrusion occurs. By architecting zero-trust capabilities into business processes and systems, businesses can increase visibility across their network, continuously monitor and respond to signs of compromise, reduce architectural complexity, and prevent data breaches. This improves overall organizational security, while still delivering a consistent user experience.
How to plan for zero trust
Planning for zero trust generally involves enterprise architects, security architects, and IT security leadership. Implementation also involves IT security analysts and security operations staff.
As ambassadors for their organizations, enterprise architects and other architecture practitioners must work to get the rest of the organization on board. While this may not be an easy step, it's an essential one. The process begins with educating the C-suite and the board about the consequences the wider business could face if it doesn't address its cybersecurity challenges in an appropriate manner.
Nowadays, every organization is digital, so technology must form a key pillar of every company's business strategy. Cybersecurity investment is integral to this. To maximize visibility within their organization, enterprise architects need to clearly communicate how cybersecurity can protect the business, as well as enable and accelerate business strategy and growth.
[ Check out Red Hat's Portfolio Architecture Center for a wide variety of reference architectures you can use. ]
How zero trust improves security management
Zero trust allows organizations to place a greater focus on authentication throughout their information-security management journey. It also enables a more pervasive, rigorous, and frequent approach to authentication. Whereas information-security management has previously been network focused, zero trust allows a more asset- and data-centric approach. It also places a greater focus on authentication, with more security controls aimed at computing devices, apps, APIs, micro-segmentation, and the data itself (with, for example, the ability to apply encryption).
With zero trust in place, there is less need for bolt-on security systems, traditionally used to secure networks. Categories of security solutions, such as network access control and IDS/IPS, must be either reengineered to fit the new model or dropped altogether. There are also fewer point solution boxes to manage.
If the past few years are anything to go by, you can expect cyberattacks to continue increasing. Therefore, an evolved approach to cybersecurity is needed, and adopting a zero-trust mindset throughout your systems is key.
Organizations that embrace information security management system (ISMS) approaches, such as ISO 27001 and 27002, will deploy different security controls with a shift to zero-trust architecture. Some controls, such as authentication and authorization, require more investment (and management), but controls aimed at perimeter security may decrease in emphasis.
Zero-trust security has been informally described as a "standard" for years. However, its status as a standard is currently in the process of being formalized. While many vendors create their own definitions of zero trust, there are a number of standards from recognized organizations that will help business leaders align their organizations to zero-trust architecture, such as NIST 800-207 and IETF. There is additional guidance available from organizations such as The Open Group's Zero-Trust Architecture Working Group and NIST, including emerging reference models that can help ease the transition to zero-trust architecture.
[ Become a Red Hat Certified Architect and boost your career. ]
Organizations from every sector should consider shifting to a zero-trust approach. It's particularly important for regulated and public-sector organizations due to the decentralized nature of their operations and the vast amount of sensitive data they are entrusted with.
Navigate the shifting technology landscape. Read An architect's guide to multicloud infrastructure.