Why Zero Trust is the Future of Corporate Cybersecurity

In a world driven by digital business, enterprise security needs to be continuously monitored and improved to keep up with evolving cyber-threats and to ensure data protection across the web. As the corporate, office-based workforce evolves to become more permanently remote, increased access control to business assets is needed for those both within and outside of the company network. Security strategies such as multi-factor authentication (MFA) and Zero Trust are frequently discussed among cybersecurity circles as a method of increasing access controls –  with Zero Trust rapidly gaining popularity in recent years.

What is a Zero Trust strategy?

A Zero Trust strategy for corporate cybersecurity is a framework which requires all users to be authenticated, authorized and continuously validated before being granted access to certain systems or company data – this includes users both inside and outside the company’s network. A Zero Trust security model can also limit access to certain areas of the business, even to verified users. The idea behind implementing a ‘never trust, always verify’ security posture was first proposed by Forrester research over 10 years ago, as the idea that all internal devices could be automatically trusted quickly became an outdated assumption. While the Zero Trust principles are not a new concept, many companies have only recently started changing their corporate cybersecurity strategy to accommodate the increase in cyber-threats, resulting in many looking to adopt a Zero Trust mindset.

Challenges businesses are currently facing that a Zero Trust culture might solve

The Covid-19 pandemic

The pandemic left many organizations changing their normal company routine overnight. Those who frequented the office daily were now working from home, and many began using alternative devices such as personal monitors, mobile phones, and other electronic devices to carry out their day-to-day work remotely. This turned existing security investments upside-down for many companies, resulting in a complete digital transformation. Cybersecurity departments had to quickly adapt their corporate cybersecurity policy to the additional challenges associated with home working, including employees accessing company data and files remotely from a multitude of personal Wi-Fi networks.

Almost overnight, traditional approaches to cybersecurity which automatically trusted users within the organization’s perimeter became ineffective.  For this reason, a Zero Trust architecture which continuously monitors and verifies the user identity of those both inside and outside of the organization’s network began to look more attractive, and companies began to explore how to implement a Zero Trust approach within their network.

Access management for expansion in remote working

Approximately 50% of the US population works remotely on a regular basis.

Pre-pandemic, the advancements in technology that allowed conference calls from all around the world and the ability to access company files and data from almost any network location meant remote working was rapidly becoming a popular choice for many office workers. Following the pandemic, many workers saw the benefits of continuing to work remotely. Less money and time spent commuting meant more quality time with family, and more money in your pocket for a rainy day –  resulting in many more people looking for remote rather than office-based work. To accommodate, many companies stated their intention to adopt a remote-first workforce which allowed employees to continue working remotely, even as pandemic restrictions began to ease.

This reinforced the idea of adopting a Zero Trust model, as remote working became the new normal and many devices were gaining access to companies’ most critical assets from outside the internal network. Cybersecurity teams had to consider plans to extend their temporary security solutions put in place during the pandemic, to build a permanent and more robust Zero Trust identity and access management framework.

Increase in bring your own device (BYOD) work culture

Also heightened by the pandemic, many companies began to see the benefits of a “bring your own device” (BYOD) work culture. This offers some benefits:

• People tend to feel more comfortable and familiar with their own devices
• The ability to access company files remotely from any device
• A reduction in costs for supplying and repairing a multitude of devices for each employe

Even if a BYOD culture is not adopted within your company, some employees still use their personal devices for work-related commitments and to access resources while working from home. Whether that is simply checking an email, accessing company files from a public network such as a coffee shop or doctor’s waiting room, or joining a conference call using their personal mobile phone during the school run.

While such an environment can be beneficial, automatically granting access to the organization’s network for personal devices can be problematic. Devices owned by the company are usually secured, patched, and kept up to date with company managed security tools and policies. The same cannot be said, however, for personal devices used for work-related purposes, therefore, it is not always possible to simply trust network access to these devices. As with remote working, a BYOD culture would benefit from Zero Trust network access because all devices, whether owned by the company or not, have conditional access only following verification.

Frequent and more severe sophisticated cyber-attacks

Cybercrime continues to grow at a rapid pace. The threat landscape is continuously changing, and we are seeing more frequent security incidents on a daily basis. While business logic attacks are increasing, such as user accounts being compromised, there has also been a spike in ransomware attacks –  with more than 304 million ransomware attempts taking place in 2020 . Cyber-attacks are being perpetrated by threat actors, who often use automated technology to launch a multitude of attacks sophisticated enough to bypass traditional perimeter-based security measures. . Threat actors have been triumphant in infiltrating many big-name companies, hospitals, schools and universities – resulting in hundreds of data leaks, security breaches and ransomware attacks.

Adopting a Zero Trust strategy addresses some of the problems associated with this increase in highly sophisticated attacks that traditional security models are unable to prevent. Zero Trust can mitigate risk and provide increased protection to an organization’s network architecture.

Benefits to a Zero Trust security model

Some of the benefits of adopting a Zero Trust security posture have been outlined above, but there are many more reasons that nudge companies towards adopting a Zero Trust mindset. These include, but are not limited to:

• Strong policies for user identification and access management
• Reduces risk of unauthorized access to protect data from any potential breaches
• Improved security strategy for remote working and BYOD culture
• Increased threat detection on internal and external devices
• Can result in better user experience for anyone accessing your network

Drawbacks to a Zero Trust security model

As with anything –  adopting a Zero Trust strategy also has a few drawbacks, alongside its many benefits.

Those exploring how to create a comprehensive Zero Trust strategy will quickly find that it is not going to happen overnight. It takes a lot of time and effort to create a Zero Trust architecture. Many cybersecurity teams find that it is easier to build a Zero Trust structure from scratch, rather than trying to reorganize the company’s current security framework.

Once you have a Zero Trust architecture in place, there will be an increased level of commitment and upkeep for the cybersecurity team; not only does Zero Trust require increased access management for more devices, but there will also be increased management of verifying user identity. In addition to this, whilst a Zero Trust network significantly reduces the threat of outsider attacks, Zero Trust can never fully eliminate the threat of an insider attack –  whether the user’s identity is verified or not.

Additionally, as BYOD work culture increases in popularity, it is not always easy to collect enough data on the health of a device attempting to access your network, without intruding on user privacy.

Is a Zero Trust model the future of corporate cybersecurity?

When weighing up all the advantages and the costs of Zero Trust strategies, it is clear that a Zero Trust framework uniquely addresses the challenges modern businesses are facing. The principle ‘never trust, always verify’ fits the requirements for a secure remote working and BYOD network and reduces the risk of cyber-attacks and associated security breaches that traditional network security does not.

Companies across the world are starting to embark on their Zero Trust journey. North America is currently leading the Zero Trust initiative with 60% of organizations exploring how to implement a Zero Trust system, closely followed by Australia and New Zealand (50%). Europe and the Middle East are relatively far behind, with only 18% currently looking into how a Zero Trust system might work with the evolving threat landscape.

Nonetheless it is encouraging to see many businesses investigate adopting a new security model as it evolves to meet the current cybersecurity challenges. Adopting a Zero Trust security framework and replacing traditional perimeter-based security practices is the next step to ensuring a cyber-secure future for all corporate networks.