IT innovation has come with a high cost: it made our security perimeters extremely porous.
The increase in DevOps, the rising use of IoT devices, and calls for more remote working make it nearly impossible to ring hardened perimeter fences around data and applications.
Threat actors understand this well. They’ve resorted to using simple vectors like email and more sophisticated exploits like zero-day threats, like log4shell, to infiltrate the perimeters — successfully.
These are some reasons why 92% of companies are looking at the zero-trust security model, said a SailPoint whitepaper “Identity Security: An Essential Piece of Your Zero Trust Strategy.”
“The explosion of cloud computing, mobile, IoT, DevOps, bring-your-own-devices (BYOD), and work-from-home initiatives have led to decentralization of IT,” says Chern-Yu Boey, senior vice president for APAC at SailPoint.
“Increased adoption of mobile and cloud technologies means that more business operations are now conducted outside the corporate network, and an increasing number of users are accessing resources such as applications and business systems from a wide range of devices and locations outside of the corporate network. Given the anywhere operation and technology trend, the traditional security perimeter is no longer viable and slowly disappearing,” he further explains.
Shifting to zero trust
While moving to zero trust makes sense as a security concept, it is gets mired with misconceptions and vendor claims. It also breaks away from how the security industry has operated in the past.
The most significant mindset leap is that zero trust is not a product. “Zero trust is a security strategy and framework that aims to enable an organization’s digital business while ensuring data security integrity by providing exactly the right access to the right individuals through the right authority,” says Boey.
This is a challenge for many security teams looking for platforms and point solutions to drive many traditional security strategies.
Another challenge is that zero trust needs collaboration to make it work. This means that security teams can no longer work in isolation, issuing mandates, creating guidelines, and enforcing best practices. They need to work with users and DevOps teams actively.
“A comprehensive zero-trust approach should encompass users, applications, and infrastructure. The very first step of this approach is to understand and authenticate users, ensuring the least privileged approach. The next level is to look at applications where all components need to be continuously monitored and ensure trusted access between them. At the infrastructure level, routers, switches, cloud, network, and IoT devices should be addressed with no implicit trust and verify-always approach,” says Boey.
The good news is that zero trust does not mean you need to throw away your perimeter security investments. Instead, it uses them with a different approach.
“Perimeter security continues to play a key role in enterprise security and but they have to embrace zero trust methodology, evolving into micro perimeters and ensuring an increased level of continuous verification capable of detecting and stopping intrusion,” Boey explains.
Why start with identity?
Zero trust shifts the way we look at trust in security.
In traditional perimeter defenses, users sitting behind perimeters are trusted. Many threat actors focus on getting past the perimeters, after which they can create havoc. So, many security teams ensure their perimeters are lines of defense and measures.
But with zero trust, this castle-and-moat approach does not work. Its “never trust, always verify” and “assume the breach” approaches take the opposite step.
“What this means in practice is that no one should automatically be trusted to access resources, whether inside or outside of an organization. Essentially, every user is considered a suspect until proven safe. Given that identity is a common foundation to security access, it should be the first step to the zero trust journey,” says Boey.
It’s why SailPoint believes zero trust should begin with identity security, the premise of its whitepaper mentioned above. But for identity security to work in modern enterprises, it needs to scale and requires a high level of automation.
“Automation of access control reduces errors and accelerates access delivery to users,” says Boey.
He notes that automation drives operational efficiency and user productivity in many ways:
Accelerating day1 onboarding of users
Timely removal of access when users change roles or leave the organization, hence reducing security risks
Automatically detect security policy violations
Drive productivity and increase security posture by having the right access at the right time for the right reason
SailPoint also sees the need for AI to play a more prominent role in zero trust, especially in identity security.
“Today’s enterprise faces the challenge of accelerating digital transformation. IT teams are overseeing an ever-expanding number of users, apps, and data in a variety of operating environments. Securing this sprawling ecosystem is becoming incredibly complex, and doing it right has moved well beyond human capacity,” says Boey.
“By leveraging AI, organizations can spot high-risk users, trigger immediate remediation, streamline access provisioning with AI recommendations, and suggest identity roles. AI takes the complexity away and helps an organization to make smart decisions and increases its security posture,” he adds.
Adapt zero-trust frameworks
Companies may operate similarly but are essentially microcosms of different work cultures or processes. So, security teams need to adapt their zero-trust frameworks to the companies they work in.
“Zero trust is a security framework and methodology which can be tailored according to each organization’s ecosystem, priorities, and strategy. There are many aspects of zero trust — identity, applications, device, network, data, etc. Organizations need to define their goals, scope, current technologies, and existing policies,” says Boey.
However, he advises companies and security teams to focus on identity as a critical starting point for zero trust. “It is really what zero trust is about – enabling users to have the right access to the right resource at the right time.”
It’s where SailPoint is focusing and investing as well.
“We help organizations understand who has access to what, who should have access, and ensure least privilege access. Organizations can realize the immediate benefit of visibility to user access, cleaning up excess entitlement and continuous governance,” concludes Boey.
Properly done, zero trust with strong identity security can now see potential threats evolving. It allows security teams to take a more proactive step instead of trying to put off fires after an attack or breach.