Zero Trust Security is an approach that requires all the users (basically all devices) regardless of the fact whether they’re in the organization network or not, to prove their identity and get access to business applications, data, and resources. To sum up, the access is granted to users – if it’s meant for. Therefore, the name Zero Trust, means no user is trusted unless the identity is proven.
In the traditional perimeter-based security approach, the devices on the organization network are trusted by default. This assumption that all devices on the organization network would mean no harm is flawed.
The number of cyber threats, the sophistication of cyber attacks, and the attack frequency has grown in recent years. If at all, any endpoint within the network is infected, the damage spreads like wildfire. The attacker moves laterally from one segment to another easily. As perimeter-based security is designed to defend against attacks coming from outside, anything that happens within the perimeter is challenging to be controlled.
Any vulnerability that arises internally can prove lethal. The world has witnessed such attacks where internal vulnerabilities have caused too much damage to companies.
Furthermore, organizations can not just rely on this approach because there are users and devices outside the organization’s network. With trends like remote working, work-from-anywhere, cloud computing, and more rising – it’s difficult for organizations to define a perimeter and implement the same robust security measures they would implement in a conventional office setup.
Hence, they’re compelled to rely on Virtual Private Network (VPN) solutions. VPNs have been in the market for a long time, but they don’t offer robust security. Why’s that?
It was common for organizations to rely on VPN to access corporate networks, but today businesses are undertaking more digital transformation initiatives than ever and putting corporate resources like data and applications on the cloud.
Typically, when any user accesses a corporate network through VPN, he’d have access to all resources on the network. The risk of a ransomware attack, malware infection, and data breach is higher as the user may surf the internet bypassing the corporate firewall. Another scenario could be that if the VPN client is available on the user’s personal device (which may be compromised), then this exposes company resources to even more threats.
A common challenge with VPN is that it offers no visibility of the user traffic. This is a risk scenario because imagine an employee accessing a business application from a random coffee shop through their laptop. This laptop is likely to be connected to an unsecured network – which then becomes an easy target for hackers to attack with malware or launch a socially engineered attack.
VPNs made sense back then when the digital landscape wasn’t as complex as it is today, and the threats were relatively lesser and known. The new-age kind of complexities cannot be handled by a VPN solution ideally.
Also, we must remember that VPN backhauls the traffic to corporate headquarters or a central location since the security policies are applied at the central location. So, backhauling means the traffic is sent to the central location for data inspection and more processes. But this is a drawback in this approach since it introduces additional latency and consumes more bandwidth. Simply put, using a VPN means the user experience is slower.
With the growth of multi-cloud architectures and mobile workforce, the network perimeter seems to fade by the day.
With such an evolving landscape, organizations need a security solution that enables:
All the functions are coupled in the modern-day Zero Trust solution – but let’s check how is it fundamentally different from perimeter-based security.
We discussed previously that the identity must be verified before the access is granted but is it just the identification of the device/user? No, context is also an important parameter. Here’s what context means: date, time, geolocation, and the device’s security posture. All these parameters are also verified.
Therefore, access to business applications and data is given context based. But remember, the access is not eternally granted – meaning it’s not one-time. The verification is a continuous process – meaning, if the user fails to meet the security check or context in the next session, the access is likely to be revoked.