Written by Tina Gravel on April 16, 2018
The Rise of the Zero Trust Network
A More Adaptive Security Model For the Hyper-converged World
Later today, I’m heading to Las Vegas for the 2018 Channel Partner Conference and Expo
I’m looking forward to connecting with many of you at the show to talk about how Appgate, previously, Cyxtera is helping our partner community gain market share by leveraging Appgate's position ahead of the market for providing adaptive security anchored by a global datacenter footprint. When I say ‘ahead of the market,’ I’m not being hyperbolic. Here’s why. The technology space is a highly dynamic one with new capabilities emerging all the time. Many of these capabilities struggle to emerge above the white noise of every other offering that is clamoring for the market’s attention. In the rearview mirror, it’s easy to point to some of the most substantial capabilities that have emerged in the past several years that have been truly transformative. Cloud provided cost savings and infrastructure on-demand; analytics capabilities and “big data,” substantially changed how enterprises market their offerings and improve operating margins while gaining unprecedented visibility into how products and services are consumed. For government agencies, robust analytics capabilities play an instrumental role in protecting classified infrastructure, workloads and ultimately sensitive data.
Which brings me to what I believe the next transformative frontier in technology will be. We are just now seeing an emergence of the concept but the need that led to the concept has been inadequately addressed for years. The new philosophy taking hold of the Security horizon is the emergence of “Zero Trust Networks.”
My last post centered around how Software Defined Perimeter (SDP) solutions could mitigate the fallout of different attack signatures. SDP is a spoke on the broader Zero Trust wheel, albeit, a significant spoke. Let’s explore.
CSO Online describes Zero Trust as “a security concept centered on the belief that organizations should not automatically trust anything inside or outside its perimeters and instead must verify anything and everything trying to connect to its systems before granting access.”
This is a new way of thinking about security in that, nothing outside or inside an organization is trusted. Embracing “Zero Trust” environments shifts enterprises away from the old school of thinking that hardware-based solutions can scale and provide robust security in today’s dynamic hybrid environment. The reality is, the old school of security solutions simply cannot scale with today’s inter-connected IT ecosystem, there are too many points of entry and too many changing variables. In essence there is no ‘castle’ to put a moat in front of anymore, everything is distributed. From third party clouds and access methods to ‘shadow IT,’ where a well-meaning employee may activate an XaaS capability and connect it to critical infrastructure. All of this hyper distributed IT is of course a wonderful thing, it removes bottlenecks, allows us to test new applications and capabilities that streamline workloads and drive significant OPEX and CAPEX savings. But our ability to tap into these capabilities comes with a cost and that cost, dear reader is exposure to threats.
The Zero Trust concept presents us with a new strategy, it’s not a single product or solution. The first step to achieving a Zero Trust security protocol is to turn the mirror on your own organization. Where are your vulnerabilities? Keep in mind, I’m not suggesting that you just explore which ports are vulnerable but look more broadly. Where is the access coming from inside and outside of your organization? Zero Trust means exactly that – ZERO trust. Look at your own teams, has marketing deployed a capability (we see this a lot); do you have third parties accessing portals or tools in your site? What are their vulnerabilities, who do they connect to and what are their vulnerabilities?
The list becomes endless quickly. With cyber-attacks becoming more accessible to anyone, you can bet that you don’t need to be a major brand or government agency to be on the radar of any number of bad actors. Remember, Zero Trust is not simply about a single security product or service. It spans across your network, your clouds, your user permissions, your colocated and hosted assets and it operates under the guiding principle that nothing is trusted, everything down to the user is granted access through customized policies. Capabilities such as Software Defined Perimeter are incredibly powerful tools to help enable your Zero Trust strategy but your adoption of Zero Trust must be pervasive. At the systems and infrastructure level as well as the policy level. Ultimately this concept is the first sign of how we are rethinking security. I believe it is a significant development in the departure from the old way of doing things and shows the promise of more adequately protecting critical assets for today’s hyper-connected enterprise.