Companies are increasingly moving away from conventional perimeter-based security throughout cloud transformation. Instead, many are considering a zero-trust approach to tackle the challenges of decentralised IT environments and mobile employees.
Zero-trust replaces the conventional network security model. Companies have recognised the importance of fast access to applications when it comes to employee satisfaction in IT, irrespective of whether these applications are hosted on the internet, in private clouds, or in a data centre. Employees are no longer granted an assumption of trust when it comes to accessing the internet or applications, as they have to earn this trust based on identity and context.
Making data streams traceable
The fundamental idea behind zero-trust is based on the traceability of employee data streams and all devices connecting to applications in the cloud and on the internet, irrespective of location. With a zero-trust approach, security is shifted to the cloud where it assumes a control function—with filters and rules—that is implemented between the user and their desired applications. The user’s identity and role in the company determine which online resources and which applications in the cloud or the data centre the user is allowed to access for day-to-day work.
When companies seek to implement zero-trust, they are usually put off by the complexity involved. Many do not consider the fact that one or more elements of this system could already exist in their IT ecosystem. But where should the transformation of IT security start? The following considerations can help with that.
- Have a clear objective in mind
What do companies want to achieve when redesigning their security infrastructure? Is it about securing all Internet-based data streams and ensuring secure remote access to data and applications in the data centre or multi-cloud environments regardless of the employee’s location? The zero-trust approach can also be used to secure cloud workloads in complex multi-cloud environments and control the communication of workloads. A zero-trust architecture can help with all of these scenarios. Therefore, the first step that companies need to take is to define their objective so that they can align their transformation strategy accordingly. This will also enable them to measure their success following implementation.
2. Identity-based rules
Zero trust-based security requires an identity provider such as Azure AD or Okta. As most companies already manage their employees using a system like this, the foundations for defining the appropriate rules are already in place. Building on an employee’s function, the relevant roles are assigned to the employee, and therefore the corresponding access rights to applications in the identity system
3. Extra protection: multi-layered security
In addition to secure internet and remote access, it is also worth considering security at the endpoint level. A defense-in-depth strategy increases security because the combination of systems from different providers makes it even harder for malware and ransomware to break through.
Zero-trust for internal application access
Once the objective and requirements have been defined, it is then clear whether the first order of the day is a VPN replacement or secure access to the internet. When it comes to providing access to internal applications to remote employees, companies are being guided by the signs of the times and are moving towards hybrid work environments for employees. The zero-trust approach enables secure, high-performance access based on uniform rules, irrespective of where employees are when accessing their business applications. Therefore, there is no longer any need to maintain and manage multiple security systems, which makes the security team’s life much easier.
A zero-trust approach allows the IT department to maintain a central overview and keep an eye on all data streams. With zero-trust, access rules, once defined, are implemented for mobile employees in exactly the same way, whether they are accessing business applications from a private device or from the office.
In today’s remote working world, companies need to move away from thinking in terms of location, as the physical location where employees are productive no longer matters. What does matter is ensuring that every user, regardless of where they are based, is able to enjoy the same secure, high-performance access to their applications—whether they are hosted in multi-cloud environments or in a data centre.
Users no longer need to be on-network to be granted remote access to applications. A zero-trust architecture enables secure access to applications at the level of the relevant application and not at the network level, which also provides the micro-segmentation desired for security reasons. This improves the IT infrastructure because potential attack gateways exposed to the internet, such as VPN, can be significantly reduced. As access is provided based on the principle of least privilege, users are only granted the rights for the applications that they need for their work.
Zero-trust for online application access
Another way in which companies can harness the advantages of a zero-trust approach when transforming their security set-up is by granting their employees rule-based access to applications online. Within the Secure Access Service Edge (SASE) framework, a cloud-based platform helps to secure all data streams while also improving security—and does so at the “edge.”
Using a highly integrated platform like this allows the IT department to maintain an overview of all data traffic via a single administration interface. This gives them a central overview and enables them to define policies that apply equally to a wide range of security mechanisms. From the cloud sandbox to data loss functions, rule-based rights are implemented and controlled by the cloud.
Additionally, CASB functionality is also provided to allow access only to applications that the company wants to make available to employees in their working environment. Moreover, unsanctioned applications online that are considered dangerous are blocked, preventing unauthorised access to sensitive data.
All traffic, including TLS-encrypted traffic, can also be scanned for malware. This provides an extra layer of security and is something that is often not fully possible for companies with traditional solutions for performance reasons. This eliminates another security risk, as malware attackers have targeted encrypted traffic for transporting malicious code for years, knowing that many companies do not scan encrypted data streams in their entirety.
It starts with a vision
Companies that want to transform their application landscape, modernise their network architecture and security can no longer avoid zero-trust and cloud-based security. When evaluating where to start with a zero-trust approach, it helps to have a vision of what the company wants to achieve through modernisation, as it is very likely that some of the requirements, such as the need for an identity provider, have already been met—which is an important starting point.
Complex and time-consuming hardware administration will be eliminated in the future, replaced by the establishment and management of a set of rules for access control. A zero-trust initiative usually starts with a transition from the current situation and delivers rapid results from there. The level of granularity and therefore the potential complexity of the policies is determined by each company itself.
