No one is trusted and authentication is required for all access when speaking of the "Zero Trust" security model. In today's new world of work, which is fraught with dangers in terms of data and system security, this model is becoming increasingly important.
The rationale behind this is simple: implicit trust in itself is a vulnerability, as it can allow access to sensitive data because the corporate network is no longer impregnable.
Data and applications that were once on a server in your own data center are now scattered across countless cloud platforms. Thanks to Microsoft 365 and Azure Active Directory, even the core functions of office and enterprise software are increasingly migrating to the cloud. In these distributed, hybrid environments, a security system alone no longer offers sufficient protection. But the way we work has also fundamentally changed. Employees can log in from home via VPN access and even use their own devices, documents are shared with outsiders via SharePoint, and accounts for service providers are activated in Teams.
Of course, this seamless collaboration enables the productivity that today's working models require. But when it comes to the security of data and systems, the new working world is full of dangers. With increasing networking, the number of entry points for attackers is also increasing. In addition, cybercriminals are using increasingly sophisticated methods to overturn conventional protection measures.
So, what makes Zero Trust different?
Basically, every single data access is verified: dynamic, risk-based and context-sensitive. The focus is on the principle of least privilege access, which means each user is granted only as much access as is required for the task at hand.
Reliable protection required the continuous collection of information on key questions, such as what data is being accessed, where the user request is coming from, who is requesting the data, why the user needs access and when. In this way, usage authorizations can be controlled based on guidelines.
For example, companies can specify that employees can only access sensitive resources if the security technologies on the end device are up to date. Otherwise, the device will be quarantined until the required updates are installed. Or they only allow an employee to access data from the HR department if the person is connected to a company laptop via the VPN.
Likewise, with a policy engine as the control center that decides on individual requests, the context can be evaluated on a case-by-case basis and, if necessary, dynamic session-based data access can be granted for users, devices or operational instances.
This is the case, for example, if an employee suddenly wants to log in at a time or from an atypical location. A holistic “Zero Trust” strategy that not only secures network access, but also encompasses users, devices, applications and factors such as user behavior, allows for almost limitless flexibility in how employees work.
IT managers, on the other hand, arm themselves against cybercriminals by keeping the security system strong against the attackers. At the same time, they reduce the complexity in terms of IT security if each device no longer has to be administered individually.
The fact is that new working models and hybrid infrastructures require a rethinking. If companies do not rethink and give up ingrained thought patterns, IT security will no longer work in the future. The “Zero Trust” security model should therefore no longer be optional, but mandatory.
By Daniela La Marca