We live and work in the digital world. We are connected, using a variety of devices, and have access to applications and IT systems anywhere and anytime when connected to the Internet.
We can often do our work from home, as corporate IT systems are accessible even from remote locations. Corporate data does not exist on its own server any more, but also in the cloud. In a nutshell:
IT structures today have become more versatile, more complex and thus more vulnerable.
Safety was and still can be relatively simple: the enemy is often an external threat, so internal data should be safeguarded with security systems. Traditional security concepts assume that all services, devices, and users in your own IT corporate network can be trusted. These concepts have a disadvantage whereby as soon as someone enters the company network, hardly any security measures are present.
They do not take into account the fact that there is also a potentially significant security risk from their employees’ negligence as humans are often the weakest link in cybersecurity.
Trust but verify is no longer a valid approach. Trust is a vulnerability. Moat-and-castle strategies have failed.” (Source: Forrester Research)
Traditional security approaches focus on protecting the network or the devices that access it. In today's digital enterprise environment, people in charge have far less control over networks, devices, applications, and people than they did before.
The approach of a delimited network, which has to be protected so that the company can feel secure, was based on the axiom "Trust, but verify".
This model divides the network into two sides, external and internal:
The internal “flank” as a weak point in the attack: Once attackers at the external borders have successfully “authenticated” themselves, they gain unrestricted access within the company borders.
Digitalisation has made these borders more penetrable, if not eliminated them. There is no more separation of what is on the outside and inside. Digital companies have no boundaries: they exist wherever customers connect and where employees and partners interact with data and services.
Digital companies have no internal and external borders.
The zero-trust model is based on the principle "never trust, always verify". There is no distinction between the outside and the inside.
Compared to traditional concepts, the zero-trust model represents a paradigm shift in that it treats and distrusts all devices, services, and users alike.
This paradigm shift has significant implications for the IT security architecture as security systems no longer need to be deployed only at the network boundaries but across the network.
The network-perimeter-based information security models (e.g. firewalls) are no longer beneficial in today's digital enterprise because business is no longer limited by its four walls. Although we do not disregard a firewall’s function, it is merely part of the solution.
IT security teams must move toward a multi-tier zero-trust approach to data- and identity-centric security. The IT analyst Forrester Research believes that this is the only working security approach. The Zero Trust framework is the pragmatic model for today’s hostile reality that includes a mindset, operating model, and architecture tuned to the threat. It includes an operating model and an architecture that is tuned to cyber threats. A zero-trust approach never requires trust, but continually evaluates "trust" through a risk-based analysis of all available information.
Watch the recording of our webinar "Never trust, always verify! - the DriveLock Zero Trust platform"
Since the GDPR, sensitive data has been clearly defined and must be protected. This includes all personal data from customers and employees to intellectual property.
Zero Trust was ultimately developed to prevent data breaches. This must be the most important strategic goal of cybersecurity. In addition to the company's negative image and loss of reputation for data theft, you also need to remember that a data breach is an IT incident that can cost a CEO or company executive their position.
Also, a ZERO Trust approach helps stop intrusions or at least limit the business impact of the theft of sensitive data. Dramatically improved through analysis and automation, Zero-Trust offers the responsible IT security officers not only prevention measures but also the early detection and reaction to potential attacks. (Detection & Protection)
Read in the following post, what elements does a ZERO trust model consist of.
Want to know more about Zero Trust?
Watch the recording of our webinar
"Never trust, always verify! -
the DriveLock Zero Trust Platform".
About the author: Andreas Fuchs is a product manager at DriveLock SE and an expert carrier for Zero Trust.