Why You Need a Zero Trust, Security Mindset

wooden blocks pushed together to create a picture of a white lock. One block says data security - workplace data security concept — PHOTO: Shutterstock

In the new normal of a world disrupted by the COVID-19 pandemic, many organizations are turning their attention to cybersecurity, as they seek to protect their data while still giving employees the right access to the tools they need. With many employees still working from home, organizations face new threats as hackers prey on uncertainty and target the weakest link in systems. Cyberattacks have increased during the pandemic affecting organizations of all sizes. In a recent In survey, 94 percent of polled organizations reported suffering some sort of attack over the past 12 months. (1)

As companies look to protect themselves from malware attacks, phishing, ransomware and others, IT leaders are exploring new ways to protect their networks. Historically, many IT teams have relied on perimeter based security, which relied on firewalls to keep malevolent actors out, but allowed access once employees or devices were within the firewall. In the current climate; however, perimeter security may not be safe enough. If hackers make it past the perimeter they can inflict a great deal of damage, making perimeter security a single possible point of failure.

Enter zero-trust security. First created in 2010, (2) the strategy has entered the mainstream over the past year as a new way to approach cybersecurity. (3) Zero trust treats each and every device on a network as a potential point of compromise.

What does a zero-trust security strategy look like? What are its challenges and benefits? Let’s explore.

Zero Trust Is a Strategy, Not an Architecture

Zero-trust security is more of a broad strategy, rather than a defined architecture, which allows it to adapt and respond to changing times. The goal of zero trust is a mindset shift among IT to treat all devices as potential threats. While this level of suspicion may seem like overkill, it’s necessary in today’s climate. Between employees working remotely and companies extending bring-your-own-device policies, it’s harder for IT teams to lock devices down within a firewall as they may have done in the past.

Prior to zero-trust security, security was perimeter based, assuming that everything inside the perimeter (firewall) was safe and not trusting everything without. However, the shift to a mostly distributed has disrupted that approach, as devices are no longer confined to the corporate network anymore. With employees dispersed and using multiple devices, perimeter-less security like zero trust is a necessity in this new normal.

Protecting Your Employees Should Be Your Highest Priority

According to research, 50 percent of IT leaders say that better protecting remote workers from cybersecurity and privacy risks is one of their top priorities for the next 12 months as one avenue to improve their remote work programs.(4) For this reason and more, IT leaders are employing new technologies and strategies to help them prevent cyberattacks.

Steps To Implementing Zero Trust

A zero trust architecture consists of 5 pillars: application trust, data trust, device trust, session/transport trust and user trust. Only when trust is satisfied in all five areas is a user granted access.

But what does it mean when a device is trustworthy? Here are some steps to keep in mind when implementing a zero-trust security strategy: (5)

Define the surfaces you want to protect: Protect surfaces include sensitive information, and the data and assets most critical for your company.
Map how traffic flows move across your network: Knowing how different resources interact with each other gives better insight into where to place security controls.
Build the zero-trust network as a custom solution: Zero trust needs to be unique to your business. Identifying how employees interact with their applications and data allows you to build a strategy to specifically address those use cases.
Create specific security policies: Zero trust demands granular policy enforcement. You need to know who accesses what data on which device. Once you’ve mapped thart, you can build the strategy around it.
Monitor and maintain all networks: Zero trust is an iterative process. Because it’s customized to your business, it requires maintenance and revision as access patterns change.

At a high level, IT teams managing the network need visibility and analytics into network access. This allows IT to establish network patterns and identify potential attacks earlier.

Conclusion

As cyberattacks increase in frequency and severity, new strategies are necessary to secure organizational networks and data. Strategies such as zero-trust go a step beyond traditional cybersecurity frameworks by being extra cautious as to who and what is granted access to the network. Data is paramount in this day and age; the companies that protect their customer and employee data will be the ones who stay one step ahead of the competition.

Learn more about how VMWare can help you craft a zero-trust security strategy at vmware.com.

Sources

1 Yu, E. (2020). COVID-19 Fuels Cyberattacks, Exposes Gaps in Business Recovery. ZDNet
2 Pratt, M. (2018). “What is Zero Trust? A Model for More Effective Security.” CSO
3 McKay, P., Cunningham, C. and Iannopollo, E. (2020). How To Implement Zero Trust Security In Europe. Forrester
4 VMWare (2020). IT and your employee experience survey
5 Gerritz, C. (2020). “What is the Zero Trust Framework in Cybersecurity and 5 Considerations for Building a Zero Trust IT environment.” SG Media

More Thought Leadership From VMWare

VMware believes that software has the power to unlock new possibilities for people and our planet. Their software forms a digital foundation that powers the apps, services, and experiences transforming the world.