What is zero trust?
The guiding zero trust principle – “never trust, always verify” – has become an essential practice for securing today’s complex and diverse cloud networks. Not so long ago, you could lock your company’s front door, confident that all your valuable information was secure within those walls. Then along came laptops and disks and memory sticks – and every so often you’d hear a story about someone leaving state secrets on a train somewhere. Today, your company’s data is available potentially anywhere there’s connectivity. And with the unprecedented rise in remote and distributed workforces, that “anywhere” can literally be “anywhere on the globe.”
These days, the best software solutions all run in the cloud – to say nothing of the millions of connected devices and assets in the world’s industrial IoT networks. And while cloud applications are not typically less secure than on-premise ones — quite the opposite, in fact — there are new risks in today’s connected world. Digital and cloud technologies have widened what security experts call the attack surface of every organisation.
Traditional cybersecurity protocols were modeled on the idea of users going through security at the company’s virtual front door and then having the run of the place once they got inside. In other words, they were developed in a pre-cloud world. But now there are more access points – an employee’s personal phone or an IoT printer could be a potential portal – and companies have had to crack down on their security strategies. With cyberattacks at a record high, network security should be in a priority position at the top of your to-do list. Zero trust implementation requires commitment and collaboration across your entire business.
Zero trust: Definition and strategy
John Kindervag was working as an analyst at Forrester Research in 2010 – at a time when cloud applications and IoT devices were beginning their rapid rise. Kindervag rightly recognised the enormous sensitivity and value of the data and intellectual property held within Forrester’s systems. In response to this growing risk, he coined the term zero trust and led the development of many of its core principles.
Zero trust can be defined as an IT security model that requires every user and potentially connected device to strictly verify their identity whether they are inside or outside the company’s perimeters. Zero trust architecture (ZTA) relies upon a set of processes and protocols as well as dedicated digital solutions and tools to achieve success.
Zero trust network access (ZTNA) is the application of zero trust architecture which Gartner defines as the creation of “an identity- and context-based, logical access boundary around an application or set of applications.” This removes these applications from public view and allows in only those users who are verified and who adhere to pre-specified access policies.
But in reality, zero trust begins as a cultural transformation within your organisation. We tend to think of cybersecurity in terms of bad actors who strive intentionally to cause harm, but unfortunately, it’s often ignorance rather than malevolence that leads to risk and loss. In fact, a recent report shows a 48% increase in email attacks in just the first half of 2022, in which employees were lured into scams or divulged details as a result of phishing. This illustrates why education and cultural buy-in is such a critical component of zero trust implementation.
Why are zero trust principles so necessary right now?
There’s little doubt that cyberattacks are on the rise. In 2022, a major survey was conducted involving 1,200 large organisations across 14 different sectors and 16 countries. Despite prioritizing cybersecurity, many of the respondents admitted to having inadequate security. In fact, the findings showed an alarming 20.5% rise in the number of material breaches in the months between 2020 and 2021.
The following are some of the other security challenges that today’s businesses face:
- Legacy firewalls. Many companies are overly reliant upon firewalls that pre-date the proliferation of cloud connectivity. VPNs are a viable band-aid to augment firewalls, but they are not an effective long-term solution due to their limited scope and tendency to slow down business app performance, which in turn impacts employee productivity.
- Verification complexity. Device agnostic software is great for users but adds a complex layer to security protocols. Even when users have company phones and laptops, they are only as safe as the verification and security protocols that are in place to protect them.
- Third-party devices. With the pandemic, entire workforces were sent to work from home – almost overnight. Many companies had no choice but to let employees use their own computers and devices. In many cases, security workarounds were established to keep the business running and the lights on. But for many companies they have yet to unravel these temporary measures and implement more bulletproof zero trust measures for their remote workers.
- Unauthorised applications. The use of SaaS business apps is on a steady upward trajectory. Unfortunately, many IT teams are stretched thin, often causing users to resort to purchasing their own apps and using them within the company network, without informing their IT teams. Not only are these apps not subject to strict zero trust practices, but they may also have bypassed security measures altogether.
- IoT connectivity. An Industrial IoT device can be as simple as a fan or a welding machine. Because these devices are not considered a “computer” of any kind, users can easily forget that they are a potential access point into the company network. Zero trust architecture puts automations and processes into place that ensure security for all endpoints, machines, and IoT assets.
- Omnichannel portals. Employees aren’t the only ones in your business cloud. Increasingly, we’re seeing connected devices such as smart shelves in stores, and “pay anywhere” mobile apps. Any of these omnichannel portals represent risk. Zero trust helps to secure those risks without undue inconvenience or delay to your customers.
- ERP security challenges. In years past, ERP systems were limited to certain planning and finance tasks and had a limited set of users within the business. Today’s best cloud ERP systems, however, are driven by AI, advanced analytics, and powerful, scalable databases. They have the ability to integrate with disparate applications and systems across the business and are increasingly being leveraged to optimise and streamline every operational area. Modern ERP systems have advanced security systems built in but like any system, they have vulnerabilities which only compound with wider reach and accessibility. Zero trust principles, when applied to strong cloud ERP security, help protect your business at every stage.
How does zero trust work?
Zero trust combines a set of technologies and protocols such as multi-factor authentication, endpoint security solutions, and cloud-based tools to monitor and verify a variety of attributes and identities – from users to endpoints. Zero trust also requires the encryption of data, emails, and workloads to ensure their security. Essentially, zero trust protocols:
- Control and limit network access from anyone, anywhere, through any device or asset
- Verify any user or asset that does or could gain access to any level of the network
- Record and inspect all network traffic in real time
A zero trust security model uses a need-to-know policy. Essentially, this means that users only have access to the data and applications they need to do their jobs. And once again, technology is the double-edged sword in the race for better cybersecurity. As digital solutions and connectivity improve, they create a bigger attack surface, so better and faster security technologies are required to keep up. And not just keep up but also cause minimal inconvenience and disruption for the user. This requires highly agile and dynamic security policies, supported by contextual information and the maximum amount of data points available – and in real time. Who is this person? Where are they? What are they trying to access? Why do they need that access? Which device or endpoint are they coming in on?
Benefits of zero trust solutions
At their most serious, data breaches can be catastrophic. Your customers’ private data is at stake as are your finances, your intellectual property, and of course, your good reputation. Like insurance, security investments can seem like a big expense… until you need them. And then they look like a small price to pay to protect your business.
Some of the many benefits of zero trust solutions include:
- Protecting hybrid and remote workforces. We’ve discussed how remote workers and personal devices have upped the cybersecurity game. But it’s not just your company that is at risk. Cybercriminals can target your employees personally so it’s important to ensure that strict measures are in place to reduce their risk and yours.
- Supporting agility and new business models. To compete and manage disruption, businesses must be able to pivot and explore new business models. This means onboarding new applications, software, and connected assets. Ensuring security under these circumstances is a daunting task if handled manually. Fortunately, the best zero trust software tools can speed things with smart automation and customisable solutions that ensure all crucial steps are taken.
- Reducing IT resource expenses. Ask any IT professional how much time they spend on manual security tasks – the answer is probably “too much”. As businesses move their core enterprise systems to the cloud, security patches and updates can be automated and performed in the background. This applies to zero trust security protocols as well. From users to endpoints, many of the core encryption and verifications tasks associated with zero trust can be automated and scheduled.
- Providing an accurate inventory. Zero trust principles require the company to keep an accurate inventory of all assets, users, devices, applications, and connected resources. With the right solutions in place, inventory updates can be set to automatically update, ensuring real-time accuracy. In the event of an attempted breach, this is an invaluable investigative tool. Furthermore, companies often have millions tied up in wayward assets so an accurate inventory is a financial benefit as well.
- Delivering a better user experience. Traditional verification processes could be slow and difficult to manage. This led to users either trying to circumvent security protocols, or even avoiding the use of essential tools and applications due to their being hard to use. The best zero trust solutions are built to be unintrusive and responsive, relieving employees from the hassle of inventing (and then forgetting) passwords, and slow-to-respond verification processes.
Zero trust best practices: Getting started
There are several tasks that you will need to undertake once your zero trust transformation has begun. This includes cataloging your assets, defining segments within your organisation, and classifying your data for a smoother transition.
Zero trust begins with a commitment and the following steps can help you get rolling:
- Delegate. Your IT team is already too busy. Consider bringing in or appointing a dedicated cybersecurity change management professional who can help you mitigate risks, spot opportunities for improvement, and build a workable road map.
- Communicate. Let’s face it, your employees are not going to immediately be thrilled by news of stricter security measures. As you invest in better security, you should also invest in more engaging messaging and communication around this transformation. There are plenty of real-world examples of the dangers of cybercrime. Help your teams to understand that it’s not just the C-suite that gets hit by a data breach – it costs jobs, affects individuals, and threatens the survival of the company.
- Audit. Working with a security specialist, establish a checklist of security risks and audit each area of the business. Break down silos and connect with subject specialists across your team. They know better than anyone where the weaknesses and vulnerabilities are in their areas – particularly in complex, global operations like supply chains and logistics.
- Prioritize. Determine the relative importance and urgency of all your business operations and tasks and assign a rating. Determine a roles-based assessment of who critically needs access to things and who less so. This initial prioritization will also help to prepare you for micro-segmentation which is a fundamental component of zero trust – preventing lateral movement and its attendant exposure to data breaches.
In today’s world of euphemisms and careful language, zero trust may seem to your employees like a somewhat cynical term. So, get out in front of that when you introduce zero trust to your teams. Tell them at the outset that this in no way means you don’t trust them. It’s the cybercriminals that no one should trust – because they can make things seem like something they’re not. They can sneak in through the tiniest gaps and once they’re inside, they don’t care who they damage.
SAP Insights Newsletter
Gain key insights by subscribing to our newsletter.