The Zero Trust security framework turns 10 years old this year. It started as a simple concept: treat every user and all packets the same, as untrusted and potentially malicious.
According to Forrester Research, which created the Zero Trust model, it has evolved from a focus on firewalls and data isolation to becoming a comprehensive, practical approach for security. While Zero Trust remains a strategic initiative, not a technology or tool, there are tools and technologies that enable it.
Today, continuous security management, has become a core concept of Zero Trust. Most entities on a network are not fully-managed, especially applications, and that’s created a potential security disaster.
Here’s why: Staying competitive and profitable today has become tougher than ever. It requires close coordination with multiple parties, from employees to channel partners, vendors and subcontractors, logistics and supply chain contacts. All these players represent security risks. So, at a time when these interdependencies are growing, the number of insider threats has increased dramatically.
The Ponemon Institute recently reported that the number of insider-caused security incidents increased by 47% since 2018. The average annual cost of insider threats has also skyrocketed in only two years, rising 31% to $11.45 million. Given these potential threats, managing this expansive network of employees, partners and vendors requires that organizations take a Zero Trust approach to access.
Why Organizations Need to Change Their Approach to Access
Traditional access solutions such as VPNs focus on the network and trusted devices that require cumbersome network changes. With all the challenges technology people face, no IT or security team needs the extra headaches. In addition to the added network complexity, traditional solutions take the opposite of a Zero Trust approach by using a single binary decision point at the beginning of a session. Once a user gains access, they are in. Not only that, the VPN brings the user onto the network and takes them all the way to the application itself. On a flat network, this results in too much access and too little control. It offers a dangerous level of access to inherently insecure and vulnerable applications representing a massive security risk to the organization. As the Ponemon data shows, there are any number of attackers taking advantage of this.
In today’s age of DevOps and CI/CD (continuous integration/continuous deployment) virtually all applications (including future, legacy, cloud and packaged apps) are exposed and vulnerable, built and deployed in a way that inherently leaves them open to attack. An application’s attack surface and vulnerabilities are fully exposed on any network. Even worse, these apps are exposed to an ever-evolving threat environment. All these factors, or a combination of them, can conspire to cause a breach.
Secure Application Access
How can IT and Security teams support a distributed, agile organization with hundreds, even thousands of users requiring secure application access anytime, anywhere?
Post COVID-19, it’s time to rethink our concepts around access. It’s time to focus on the role of the network when trying to access applications, and the added risk this represents. Traditional solutions such as VPNs have no considerations for the Zero Trust framework because they are overly permissive. They offer too much access, and too much implicit trust in users by exposing them to vulnerable applications, and to the network itself.
Secure application access solutions offer a different, more focused and secure approach. With application access solutions, the user never touches the application or the network. For the business, the security benefits are immediate, eliminating a potentially malicious user’s ability to exploit application vulnerabilities or explore the flat network environment. The IT team now can deliver true Zero Trust application access by continuously monitoring, controlling, recording, auditing, and managing application access and use in real-time.
Time to Get Proactive on Zero Trust
Remote work and the growing partner network that supports your business are not going away after the COVID-19 period. Now’s the time to take a Zero Trust approach to secure application access. In today’s work-from-anywhere environment, existing solutions have been exposed as inherently flawed, exposing the business to unnecessary risk by providing too much access and too little control. Malicious insiders are noticing and taking advantage at an alarming rate. An application-focused approach to access aligns with the Zero Trust security model and the modern business and risk landscape.
Dor Knafo, co-founder and CEO, Axis Security