26 April 2022
Healthy distrust: Why it's time for a paradigm shift in cybersecurity
26 April 2022 - Never trust, always verify - this is the motto of the "Zero Trust" security model. No actor seeking to access resources is trusted. Rather, every single access requires authentication. The idea behind this is simple: implicit trust is in itself a vulnerability that attackers can abuse for lateral movements and access to sensitive data. After all, the fortress - i.e., the corporate network - has long since ceased to be impregnable. Data and applications that once resided on a server in the company's own data center are now scattered across countless cloud platforms. Thanks to Microsoft 365 and Azure Active Directory, even core office and enterprise software functions are increasingly moving to the cloud. In these distributed, hybrid environments, walls and moats in the form of a firewall, for example, no longer provide sufficient protection on their own. But the way we work has also fundamentally changed: Employees log in from home via VPN access, even using their own devices. Documents are shared with outsiders via SharePoint, and accounts are enabled for service providers in teams. This seamless collaboration naturally enables the productivity that today's work models require. But when it comes to data and system security, the new world of work is fraught with danger. As networking increases, so does the number of potential entry points for attackers. What's more, cybercriminals are using increasingly sophisticated methods to circumvent conventional protective measures.
So, what makes Zero Trust different? Basically, every single data access is verified - dynamically, risk-based and context-sensitive. The focus is on the principle of least privilege access. This means that each user is granted only as much access as is needed to perform the task at hand. For reliable protection, information must be continuously collected on the following questions: What data is being accessed? Where is the user request coming from? Who is requesting the data? Why does the user need access? When does he need it? On this basis, usage permissions can then be controlled based on policy. For example, companies can specify that employees are only granted access to sensitive resources if the security technologies on the end device are up to date. Otherwise, the device is quarantined until the required updates are installed. Or they may only allow an employee to access data from the HR department when connected to a company laptop via the VPN. At the same time, using a policy engine as a control center that decides on individual requests, the context can be evaluated on a case-by-case basis and, if necessary, session-based data access can be granted dynamically when users, devices or operational instances need it. This is the case, for example, when an employee suddenly wants to log in from an atypical location at an atypical time for him. Thus, a holistic zero-trust strategy that not only secures network access but also includes users, devices, applications and factors such as user behavior enables almost limitless flexibility in how and where employees operate. IT managers, in turn, arm themselves against cybercriminals by having fortress walls that can withstand attackers. At the same time, they reduce the complexity of IT security when each device no longer has to be administered individually.
The fact is, new work models and hybrid infrastructures demand a paradigm shift. Without companies rethinking and saying goodbye to long-held thought patterns, IT security will no longer work in the future. Today, zero trust is no longer an optional extra - no, it is mandatory.
If you have any questions, please contact:
NTT Germany AG & Co. KG
Vice President Marketing and Communications Germany
Phone: +49 89 2312 178 32
Senior Account Manager
Phone: +49 89 59997 702