Why Zero Trust is Fundamental to Security in the Hybrid World
By Vish Iyer, VP Architectures – APJC, Cisco
If you want to gauge how popular a particular term, trend, or theme has become, ‘Googling’ it is often a good place to start. A Google search for ‘Hybrid Work’ yields a staggering one billion, two hundred and sixty million results. It is not surprising because organizations across the globe, including in India, are trying to understand how they can make hybrid work, work.
Their curiosity stems from the fact that we have moved from a static world, where we had people and devices in a specific location accessing static applications, to an ever-moving, hybrid environment where people, devices, applications, and data can be in multiple, changing locations.
This has created unique challenges for the IT teams. They now need to connect employees so they can collaborate with each other regardless of their location, enable them to access company resources including confidential information, and ensure that their experience remains a great one irrespective of where and how they choose to work. At the same time, they need to reconsider how they look at cybersecurity to ensure connectivity and security are equally prioritised.
Trust: The lesser the better
In the past, organizations used an approach known as ‘trust but verify’ where users were authenticated once when joining a network and were trusted by all applications by default. The very premise of this approach to cybersecurity was the fact that the place, network, and even the device was known to the organization.
In the hybrid world, that’s no longer true. According to recent independent research commissioned by Cisco, over nine in 10 (95%) Indian respondents said their employees are using unregistered devices to log into work platforms. In addition, 94% said their employees use at least two networks for logging into work, and 57% use more than five.
To add to the complexity, the reliance on applications and data – all of which are scattered on a mix of public cloud, on-premises, and private cloud platforms – has increased significantly. All of this increases the attack surface exponentially, makes the security landscape more complex and raises the probability of falling victim to a cyberattack. And organizations know that the threat is real. Ninety percent1 of security leaders that we spoke to in India believe cybersecurity incidents are likely to disrupt their businesses over the next 12 to 24 months.
The rapidly evolving environment is prompting organizations to move towards a ‘Zero Trust’ approach. Simply put, this approach assumes that all devices, users, and networks are potential threats until verified otherwise. It means that that users and devices must continuously prove their identity and level of access before being granted that access.
One can argue that this is the first step to bolstering cyber defence in a hybrid world.
Zero Trust: Demystifying the complexity
On the face of it, having zero trust in anyone or anything might sound like a burden of sorts. Having to verify identity and access every time for every user, a cumbersome process. The reality, though, is that a Zero Trust approach is one of the simplest and most effective approaches for the modern world. It is all about establishing, enforcing, and continually verifying trust, and responding to any changes in it.
An organization using Zero Trust establishes trust by gaining visibility and contextual awareness about the user, their device, and their network so that the system can determine if there’s a risk. If users are accessing business applications from their home network and then move to a new network at a café for example, or switch to using a tablet device while they’re commuting to work, the organization should be aware and decide if reauthentication is needed.
Next, Zero Trust enforces trust-based access using consistent, unified, policy-based verification and management. What this means is that the system uses policies to understand situations and determine if access can continue to be provided to applications.
A key mandate of Zero Trust is to continuously verify trust and adapt based on changing risks. If someone in the Engineering team tries to access the organization’s financial applications, even if it is on a network and device that has previously been authenticated – is a cause for concern. Systems that use Zero Trust will flag this event and mandate the highest level of verification before providing access.
As described in the scenario above, responding to changes in trust is key to a Zero Trust model. Any risks or changes in trust identified automatically trigger a response from the system that aims to protect the organization’s data, applications, and devices.
The beauty of Zero Trust approach lies in the fact that it gives organizations the ability to customize and adapt to their own circumstances, security profile, risk rating, and compliance needs. It is not a one size fits all approach.
Making it work: The tightrope of collaboration and experience
One thing that companies do need to understand is that they need to look at a Zero Trust across their entire IT architecture. The approach will not be successful if it is implemented in silos. Say for example, you have a Zero Trust approach to identity verification, but don’t have the same at the Network or the Application access level.
Zero Trust requires synchronization between identity verification, devices, networks, application workloads, and data. Segments of these are handled by different leaders in the enterprise such as the CISO, the CIO, and Head of Infrastructure and Applications, among others.
A Zero Trust model that has support from the various domains is a great way to protect employees, no matter where they work, what device they choose, and which network they use. It also allows the organization to extend the same layer of security across its critical infrastructure environment and protect the thousands of ‘internet of things’ (IoT) devices that are powering today’s smart offices and factories.
Finally, companies must factor in the risk of user fatigue, not least because frequent authentication might frustrate users. The risk with such a scenario is that over time, users tend to approve every authentication on their mobile devices or computers without checking what is really generating the request.
Balancing security with user experience is not easy, but organizations need to determine their own baseline and deploy Zero Trust to ensure people enjoy their hybrid work experience without falling victim to cyber threats.
One way organizations can address this is by focussing on creating least privilege access maps that allow people to do everything they need to do – and nothing more. With such maps in hand, combined with continuous monitoring and analytics, organizations can create policies that secure their systems without unnecessarily damaging user experiences.
The move to hybrid work has fundamentally changed the way organizations approach cybersecurity. However, to be fair, no one imagined this shift to happen at the scale and speed with which it has. That means organizations are still learning and understanding what work best for them. One thing is for sure, Zero Trust will be an integral component of that strategy. The sooner companies understand this, the faster they will be ready to tackle the challenges that lie ahead.