Search
Fancy office in warm tones with wooden floors and some office workers in it

Zero Trust Security in 2023: from hype to reality

The Zero Trust approach is more relevant in today’s world of digital transformation. What should organisations verify now?

08 August 2023Dheeraj Rawal

What is Zero Trust Security?

Zero Trust Security is an approach that requires all the users (basically all devices), regardless of whether they’re in the organisation network or not, to prove their identity and get access to business applications, data, and resources. To sum up, the access is granted to users if it’s meant for them. So the name Zero Trust means no user is trusted unless their identity is proven. 

Why perimeter-based security is insufficient?

Two people sitting in a surveillance room in front of many monitors

In the traditional perimeter-based security approach, the devices on the organisation network are trusted by default. This assumption that all devices on the organisation network would mean no harm is flawed. 

The number of cyber threats, the sophistication of cyber attacks and the attack frequency have grown in recent years. If any endpoint at all within the network is infected, the damage spreads like wildfire. The attacker moves laterally from one segment to another with ease. As perimeter-based security is designed to defend against attacks coming from outside, it is a challenge to control anything that happens within the perimeter.

Any vulnerability that arises internally can prove lethal. The world has witnessed such attacks where internal vulnerabilities have caused excessive damage to companies.

Furthermore, organisations cannot just rely on this approach, because there are users and devices outside the organisation’s network. With trends like remote working, work-from-anywhere, cloud computing, and more on the rise, it’s difficult for organisations to define a perimeter and implement the same robust security measures that they would implement in a conventional office setup.

Hence they’re compelled to rely on Virtual Private Network (VPN) solutions. VPNs have been on the market for a long time, but they don’t offer robust security. Why’s that?


Are VPNs still relevant? 

It was common for organisations to rely on VPN to access corporate networks, but today businesses are undertaking more digital transformation initiatives than ever and putting corporate resources like data and applications on the cloud. 

Typically, when any user accesses a corporate network through VPN, he gains access to all resources on the network. The risk of a ransomware attack, malware infection and data breach is higher, as the user may surf the internet, bypassing the corporate firewall. Another scenario might be that if the VPN client is available on the user’s personal device (which may be compromised), then this would expose company resources to even more threats.

A common challenge with VPN is that it offers no visibility of user traffic. This is a risk scenario because imagine an employee accessing a business application from a random coffee shop through their laptop. This laptop is likely to be connected to an unsecured network – which then becomes an easy target for hackers to attack with malware or launch a socially engineered attack.

VPNs made sense back when the digital landscape wasn’t as complex as it is today, and the threats were relatively fewer and well known. The kind of complexities found in this new age cannot be ideally handled by a VPN solution.

We must also remember that VPN backhauls the traffic to corporate headquarters or a central location, since the security policies are applied at the central location. So, backhauling means the traffic is sent to the central location for data inspection and more processes. There is a drawback in this approach, however, since it introduces additional latency and consumes more bandwidth. Simply put, using a VPN means the user experience is slower.


Can Zero Trust address these VPN shortcomings?

With the growth of multi-cloud architectures and a mobile workforce, the network perimeter seems to fade away by the day.    

With such an evolving landscape, organisations need a security solution that enables:

  • continuous verification and authorisation of the user
  • segmentation of the network to contain the breach and limit the attacker’s movement
  • Least-privilege access, which means access to required applications as intended, and nothing more

All these functions are combined in the modern-day Zero Trust solution – but let’s check how it is fundamentally different from perimeter-based security.

We discussed previously that the identity must be verified before access is granted, but is it just the identification of the device/user? No, context is also an important parameter. Here’s what context means: date, time, geolocation, and the device’s security posture. All these parameters are also verified.

So access to business applications and data is granted on the basis of context. But remember, access is not granted forever– meaning it’s not one-time. Verification is a continuous process – meaning, if the user fails to pass the security check or context in the next session, access is likely to be revoked.

What are the benefits of Zero Trust Security?

It reduces risks

Trusting all the devices on an organisation’s network is a huge risk, and this is eliminated by the Zero Trust approach. Regardless of which network the user is on or where they are, there identity is verified for each session. With such stringent and continuous verification, Zero Trust reduces the risks and vulnerabilities – which can otherwise be overlooked.

It increases visibility 

Organisations can have better visibility on the devices that are connected to the network and continuously monitor activity.

Security beyond the network

Zero Trust is designed to deliver security beyond the network layer and offer security even at the application level.

A faster user experience

With Zero Trust access, the user is connected immediately to a secure connection without the traffic having to be backhauled to the centralised corporate backbone. This functionality reduces latency. Leading to a faster and a better user experience.

It reduces the attack surface

Zero Trust hides business applications and critical resources from the internet. This means if you’ve access to one of the applications, it doesn’t imply that you’ll get access to all other applications. Unauthorised users will not be able to find the other apps, as they’re ‘invisible.’

The future of work

The trend of work-from-home or work-from-anywhere has accelerated since the COVID-19 pandemic. The remote working trend is not going anytime soon. 

Some interesting stats on remote working (as of 2023):

  • 98% of the employees want some part of their work to be remotely based
  • 16% of the companies are operating fully remote without a physical office
  • 12.7% of the full-time employees are working from home, while 28.2% working a hybrid model.

Source: Remote work statistics and trends in 2023, 2023, www.forbes.com

Remote work trends have grown the number of endpoints as employees use many devices to access the data and business tools. Therefore, protecting these endpoints and understanding the traffic is important for any organization. 

Gartner predicts that by 2026, 10% of large enterprises will have the Zero Trust model. They’ll have a mature and measurable Zero Trust model by then. Today, less than 1% of the businesses have a mature Zero Trust model.

Source: Gartner predicts 10% of large enterprises will have a mature and measurable Zero-Trust program in place by 2026, 2023, www.gartner.com

But that’s about enterprises – in general, about 60% of businesses will embrace Zero Trust security by 2025. Gartner in its December 2022 report confirmed that the Zero Trust has moved past marketing hype and is now a reality that businesses must evaluate as a part of their security strategy. Zero Trust is the fastest-growing network security area.

Need advice on how to get started with Zero Trust Security? Get in touch with us.

We’re getting you the next part of the blog on Zero Trust implementation by September.

You can read our latest report with Gartner® insights “Zero Trust Security – From Hype to Reality” here.

T-Systems is one of the leading security providers in Europe. We’re also recognized by ISG in 2022 for Strategic Security Services, Managed Security Services, and Technical Security Services – for Germany.

About the author
Dheeraj Rawal

Dheeraj Rawal

Content Marketer, T-Systems International GmbH

Show profile and articles
Do you visit t-systems.com outside of Singapore? Visit the local website for more information and offers for your country.