The rise of hybrid working and the distributed workplace have created new security challenges for the network. So has the evolution of the Internet of Things, which is connecting an ever-higher number of devices to the network.
The more digitally connected you are, the greater your risk of cyberattacks. You have to assume that it’s not a question of if your organization will be breached, but when.
Zero trust security is one approach to tightening security in this new environment, but it’s not actually a new concept. Its principles have been applied in different areas for decades already.
In the past, users or devices inherited trust and access to certain resources when they connected to an on-campus network by plugging in a network cable or connecting via a virtual private network (VPN).
Now, we no longer make that assumption of trust. Instead, we verify upon each and every connection that there really is a valid and authorized user behind that request.
Say you work in finance and you connect to the network via VPN to access the finance data you need. When you travel to another country, you’ll use the same VPN to connect to the same records, but the authentication system will flag your location and automatically activate additional authentication, such as sending a token to your mobile device.
Better for users, better for IT
In the past, users often saw security as a complicated and time-consuming roadblock. Now, authentication becomes seamless as we continually verify user identities as part of the workflow. The benefit for the user is stronger security and less complexity.
From the perspective of IT and network teams, zero trust security improves the integration and maintenance of security across technologies. Also, better acceptance among users makes them more likely to support efforts to secure all company assets.
In the past, you would manage all your devices tightly, including each and every update of the software installed on those devices.
With zero trust security principles applied, you do not need to manage those devices as closely as before. By checking the compliance and update state of the device upon a connection, you can use the vendor patches for your software without cycling through internal testing first. Because your user is authenticating against every application, and the compliance of the device is checked during authentication, your data remains secure.
Being better prepared for a breach also includes being able to analyze all access to your resources so you can detect malicious activity and automate the appropriate responses.
Automation improves authentication
We have to rely on automation because we cannot do everything manually. Everything is tied to the identity of a device or a user, and if anything changes – such as a resignation, a leave period or a move to another department – their level of access must be automatically decreased or increased.
Similarly, if an employee wants to access resources from an unexpected location or a new device, artificial intelligence can detect those changes in the background and apply additional means of authentication.
Plan before you invest
Because some aspects of zero trust security have been around for years, many organizations are already invested in it to a degree. Some technical products have quietly evolved in this direction, and the organizations that use these products may not even be aware of it.
But you can’t just flip a switch to activate zero trust security. At NTT, we start with an assessment of your current strategy – always keeping in mind that zero trust security is not the answer to everything. It should be an important part of your cybersecurity strategy, but not the only one.
Not every organization has the same risk appetite, and different risk appetites lead to different ideal cybersecurity maturity levels. This is why we first assess your organization, starting from a business perspective, and help you to define your target level. Also, your roadmap should address both your employees – how they are working and the devices they use – and all your customer interfaces or anywhere you store customer data.
The biggest mistake you can make is buying technology to solve your zero trust problem without having a strategy in place. Don’t jump on a vendor solution without first knowing where you want to go as an organization.
An experienced partner can assist not just with the security measures themselves, but also with the integration of a zero trust security strategy across your network, your data centers, your cloud, and your customer and employee experiences.
Sebastian Ganschow is Director of Cybersecurity Solutions at NTT.
WHAT TO DO NEXT
Read more cybersecurity insights in our Global Threat Intelligence Report.