Security professionals have an identity problem.
According to the 2021 Verizon Data Breach Investigations Report, more than 80% of data breaches are identity-driven. Attackers increasingly steal and exploit the credentials of employees, contractors, supply chain providers and anyone else legitimately connected to a business to pose as authenticated insiders. This enables them to avoid early detection and move laterally across the organization to launch bigger, more devastating attacks.
Attackers disguised as legitimate users can be incredibly difficult for security teams to track down. Faced with an explosion of new endpoints like the proliferation of Internet of Things (IoT) devices, an increasing reliance on cloud workloads and SaaS applications, and a disparate network and workforce driven by COVID-19,identifying good vs bad actors is more difficult because the attack surface continues to expand with velocity.
The Zero Trust Approach
In such an increasingly complex landscape, chief information security officers (CISOs) are realizing that Zero Trust is the best antidote to attacks. Based on the principle of “never trust, always verify,” Zero Trust doesn’t implicitly trust anything on the corporate network, even users and connected devices. Instead of assuming they are who they claim to be, Zero Trust requires all users, devices, and data sources to go through a process of authentication and authorization. All actors are then continuously monitored and validated before being allowed to access network applications and data.
Despite its appeal, Zero Trust has not gained much ground. While 95% of decision makers surveyed agree that Zero Trust reduces security incidents, only 59% percent have launched a Zero Trust pilot, according to a 2021 survey by Pulse Secure and Gigamon. The main reason for the discrepancy lies in the complexity of implementation.
The Complexities of Implementing Zero Trust
Implementing Zero Trust requires focus on three key areas: reworking existing IT architectures, addressing real-time protection of identity, and enabling a frictionless experience for end users, IT, and security teams.
CISOs are wrestling with the challenges of leveraging existing infrastructure as well as implementing Zero Trust without reworking all of the existing plumbing. Many organizations that have launched their Zero Trust journey began by classifying data according to type. Such a precondition might partly stem from security software requirements, but laying the groundwork in this way is tedious and impractical given the volumes of real-time data. Such segmentation misses context about ongoing and dynamic assignment of trust levels.
Patchwork security solutions to address identity challenges related to Zero Trust comprise another complexity. Historically, there have been tools that managed multi-factor authentication (MFA) for identity verification, not network security — and vice versa. As a result, patchwork solutions have proliferated and gaps between them make it easy for threat actors to exploit. For example, MFA is typically not tied to application accounts, aka service accounts, which have been used as part of recent high-profile breaches. The other challenge is that the real-time aspect of identity is key. Even if you create a zone of trust and assume everything is fine as long as the user remains within a fixed segment, all it takes to compromise a legitimate credential is for the user to click a malware-infected email.
Implementing Zero Trust while still ensuring a frictionless experience for the user is yet another challenge. How many times have calls for entering codes to log in to systems frustrated you? Users aren’t the only ones who benefit from a friction-free experience, as in-house IT and security teams should not be wasting precious time manually sifting through potential false positives and repeatedly verifying identities.
Increase Productivity and Return on Investment
The complexities of a Zero Trust approach faze all but the most hardy CISOs, but common sense workarounds exist. The key to efficiently parsing high volumes of data in real-time is to automate and orchestrate the security processes that you can.
Give every category of user a risk score, and auto-classify every identity, whether it’s from a human or machine. You can then figure out security vulnerabilities based on the nature of incoming data. Ensure a consistent login experience for users with largely unvarying profiles., so a change can trigger automated protocols that can carry out the brunt of verification. Purpose-built algorithms can monitor data to register patterns and detect anomalies.
The best Zero Trust implementations will take a cloud-native approach and lean on human security teams only as a last resort.
Think about the long game. If you follow the tenets of Zero Trust with intelligent solutions, you will reduce cost and complexity with an architecture you can live with for a while. You will have solved not just endpoint or network security, or identity and data security, but invested in a comprehensive cloud-native approach that addresses all of these pillars at the same time.