In a world where trust is everything, it’s counterintuitive to think of ‘zero trust’ as a good thing – especially regarding your employees and long-time vendors.
But all it takes is one person.
And more often than not, executives are the primary target.
A ping in the inbox reveals an innocent email that requests your immediate response.
Perhaps you even recognize the name of the sender?
During a hectic day of meetings, it’s a mistake that anyone could make.
Gartner calculates that the number of insider incidents in corporations today has increased by 44.3% between 2020 and 2021.
The risks stem from either intentional bad actors in the organization or through simple negligence. New research from the Ponemon Institute calls this “the rise of the super malicious insider,” which can cost companies up to $15.38 million annually in damages.
“In a zero-trust environment, the assumption is that everything and anything can be compromised. Nothing is trusted, ever, at any time. From there, the rest of the principles of zero trust follow. We authenticate all users and sources, deny all activity by default, and only allow activity – of any kind – by explicit policy. We do not assume that identity or permissions are static, even minute-to-minute. After all, attacks constantly adapt, so our defense must match that,” says Joel Bilheimer, Chief Information Security Officer, Pexip Americas.
Imagine, if you will, the typical corporate office. Your key card is what enables you to enter the building. Suppose we were to apply a zero-trust approach to this scenario. In that case, that key card is required not only to enter the building but to enter every zone and workspace, thus ensuring that you are who you are and roaming only where allowed. Now, let’s extend our thinking to our IT systems. Zero-trust architecture does the same thing by restricting everyone’s access to ensure you are who you are and you roam only where allowed.
Zero-trust architecture creates rules to help prevent breaches from within. Most companies today spend most of their time (and budgets) on protecting themselves from cyber threats coming from the outside. We invest in robust firewalls to secure our perimeter and neglect the idea that fractures to that perimeter can come from within the organization.
Zero trust is the antidote to that thinking—a way of implementing a series of rules for each network device to obey. This is often implemented through application programming interfaces (APIs), which enable the organization to draw up its own set of rules. These rules must consider not only the employees but all the vendors who have access to a company’s data.
“In a typical zero-trust environment, users must sign into the company’s identity provider through a multi-factor authentication method. Once authenticated, the organizational policy explicitly authorizes users’ access only to the data crucial for their work. User sessions are monitored for suspicious or malicious activity – keeping in mind that the users themselves may be the source of such activity. And when detected, the threat response deploys in real-time,” explains Bilheimer.
In a Gartner report on “How to Build a Zero-Trust Architecture,” the research giant is quick to point out that simply applying zero trust does not make “risk magically disappear.” Instead, it’s a way of replacing the “blind trust” of everyone with “calculated adaptive trust” instead. With each access granted, a risk associated with that access is calculated. In zero-trust architecture, access is granted if the risk is estimated to be less than the value of granting access.
“One of the most important steps to ensure success when implementing a zero-trust architecture is to define your strategy, process, and tools before implementation begins. Companies should also turn to their vendors, evaluating them regarding their zero trust capabilities,” adds Bilheimer.
Gartner predicts that more than 60% of organizations will embrace zero-trust as a “starting place for security by 2025.” Bilheimer agrees, asserting that a security strategy based on protecting the organizational perimeter is an outdated way of protecting the company’s critical data. Cyber-attacks are becoming increasingly sophisticated, making it essential to shift the thinking to the data itself by focusing on creating boundaries for where that data travels and who has access to it at any given time.
“Zero trust is not a buzzword anymore, and it’s not just a strategy for obscure government environments,” says Bilheimer. “The fact is that commercial organizations are leading the charge on zero-trust research and implementation. And if you aren’t planning a zero-trust strategy across your entire supply chain today, you’re likely already at a disadvantage.”