By Byron V. Acohido
As we approach the close of the second decade of the 21st century, it’s stunning, though perhaps not terribly surprising, that abused logon credentials continue to fuel the never-ending escalation of cyber attacks.
Related: Third-party risks exacerbated by the ‘gig economy’
Dare we anticipate a slowing — and ultimately the reversal – of this trend? Yes, I believe that’s now in order.
I say this because tools that give companies the wherewithal to make granular decisions about any specific access request – and more importantly, to react in just the right measure — are starting to gain notable traction.
For the past four years or so, leading security vendors have been championing the so-called Zero Trust approach to network architectures. All of this evangelizing of a “never trust, always verify” posture has incrementally gained converts among early-adopter enterprises.
PortSys is a US-based supplier of advanced identity and access management (IAM) systems and has been a vocal proponent of Zero Trust. I recently had the chance to visit with PortSys CEO Michael Oldham, and came away with a better grasp of how Zero Trust is playing out in the marketplace.
He also reinforced a notion espoused by other security vendors I’ve interviewed that Zero Trust is well on its way to being a game changer. Key takeaways from our discussion:
Entrenched challenges
It takes a cascade of logons to interconnect the on-premises and cloud-based systems that enterprises rely on to deliver digital commerce as we’ve come to know and love it. And it remains true that each digital handshake is prone to being maliciously manipulated by a threat actor, be it a criminal in possession of stolen credentials or a disgruntled insider with authorized access.
To be sure, advances have come along in IAM technologies over the past two decades. Yet, high-profile breaches persist. Some 78% of networks were breached in 2018, based on CyberEdge’s poll of IT pros in 17 countries. What’s more, an IBM/Ponemon study pegs the global average cost of a data breach at $3.86 million, and predicts a 28 percent likelihood of a victimized organization sustaining a recurring breach in the next two years.
This has to do with entrenched investments in legacy security systems, such as traditional firewalls and malware detection systems that were originally designed to protect on-premise systems. As remote access, mobile devices and cloud computing gained steam over the past 10 to 15 years, not nearly enough attention was paid to assuring the authenticity of each and every network connection.
Oldham
“Today’s security infrastructure is built to defend 30-year-old technologies and are not really designed to withstand the kinds of threats we’re facing today,” Oldham told me. “And today, organizations are trying to do more with less. So as things have gotten more complicated, it has become very difficult to make the transition to more appropriate security technologies.”
Zero Trust basics
It could be argued that granting access automatically, largely by default, was necessary in order to pave the way for the rapid spread of Internet-centric, on-premises networks. But that approach also gave rise to a vast attack surface with endless, minimally-defended access points.
And today, with mobile devices, cloud services and the Internet of Things layered on, this vast, poorly-protected attack surface, as represented by each access point, has scaled up dramatically. The essence of Zero Trust is that every organization ought to turn back the clock and begin accounting for each and every access point. This would result in a big step forward in reducing those attack surfaces and foster the emergence of a secure digital infrastructure.
“The fundamental idea is that you don’t just automatically provide access to resources,” Oldham says. “Instead, you set policies and consistently enforce those policies; you make sure that each user meets the qualifications that you set to get access to information in your organization.”
PortSys and other IAM vendors have made this level of granular control achievable by leveraging the same leading-edge technologies driving the so-called digital transformation of their enterprise customers: rapid software development, cloud-hosted computing resources and advanced data analytics.
Granting access based on assessing numerous parameters — at scale and on the fly — is now possible. “We can give you the ability to run a single report and see who accessed what throughout your entire infrastructure,” Oldham says. “You can see what device they used, where they logged in from, and what resources they accessed.”
Seeping adoption
Corporate inertia being the indominable force that it is, no one expects implementation of Zero Trust architectures to sweep across the corporate landscape overnight.
Oldham shared an anecdote about how adoption typically seeps in, one use-case at a time. A Fortune 500 advertising company recently wanted to deploy Microsoft’s Office 365 productivity suite for its employees to use on all types of devices, while also implementing robust security policies. So it retained PortSys to help them do that.
“The idea is to establish the context of the access request,” Oldham says. “We take a reading of the specific environment of the request and help the company gauge whether a user should be granted access to the resource.”
The advertising firm has since moved other applications and resources into its Zero Trust portal seeking “to get the same kind of policy security and ease of use for their end users,” he says.
Never trust mantra
While PortSys specializes in implementing Zero Trust from the access control angle; other security vendors come at Zero Trust from an authentication, or a data protection, orientation. It can even be argued that the software-defined networking (SDN) movement, which seeks to optimize network agility and flexibility, promotes a Zero Trust mindset.
All of these initiatives share a common mantra: “never trust, always verify.” As high-profile breaches continue to grab headlines, and with privacy regulations intensifying in Europe and across the U.S., that simple message is beginning to resonate with company decision makers.
Zero Trust emerged as a top budget item among enterprises participating in the IDG 2018 Security Priorities Study: some 13% of respondents said they’ve already implemented a Zero Trust model, while 52% said they were piloting or researching one, and 30% said Zero Trust is a potential new investment.
“What we’re seeing is a wave of people who are seriously investigating this and beginning to put budget on the line for Zero Trust technologies,” Oldham says. “There is recognition that this is a way to get a better control over the complexity of their infrastructure. A lot of people are trying to understand exactly what this is . . . Security used to be a boat anchor that kept companies from doing things. But I think people are actually starting to discover that we’ve reached a point where security can actually be an enabler that opens up strategic moves.”
Fundamentally, Zero Trust makes a lot of sense. We’re still very early in the adoption curve. That said, I find it most encouraging that organizations have begun reviewing Zero Trust solutions and are trying to figure how it might fit with their operations.
I’ll keep tracking its arch. Talk more soon.
Acohido
Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.
(LW provides consulting services to the vendors we cover.)
