The world of cybersecurity is constantly changing—technology is continuously evolving and the threat landscape is constantly shifting and expanding. Organizations need to adapt as well to ensure their security tools and policies can effectively protect against emerging threats. Forcepoint hosted a virtual conference today—Cyber Voices Zero Trust Summit—to discuss the evolving role of zero trust network access and the dramatic rise of relevance and importance for zero trust as the world adapts to a new era of remote connectivity in the wake of the COVID-19 pandemic.
Zero Trust Network Access
Matt Moynahan, chief executive officer of Forcepoint, kicked off the event with a sort of virtual “fireside” chat with Chase Cunningham, VP and principal analyst with Forrester. The two discussed the origins and evolution of the concept of zero trust, and why it is uniquely suited to address the security concerns of this “new normal” of ubiquitous remote connectivity.
Matt noted that the idea of zero trust was made mainstream by Forrester in 2010, but Chase pointed out that the seeds of zero trust actually go back almost 20 years to 2003 or 2004. The original concept started out with a focus on data isolation and “death by firewall,” but it evolved over time to emphasize more protecting data wherever it is and focus on identity and access.
Chase stressed that—like many people across the country and around the world—he is working from home now. He told Matt that he essentially hasn’t left the house other than to get groceries since March. He said that none of the devices or technologies he is using were issued by his company, and he is now sharing a network with his children and their devices. The net result from a security perspective is that every individual is now a branch office of one—and the company has limited visibility or control over that branch office.
That is why zero trust is more relevant and important today. Organizations need to take the position that every connection or action is suspicious until or unless it is proven not to be. Chase made a comparison to our response to the COVID-19 pandemic itself. We wear masks because we don’t know who might have it and the best approach is to assume that everyone, including yourself, has it and act accordingly.
Companies have to pay attention to the things they can actually control. With digital transformation and cloud adoption, much of the underlying infrastructure that businesses rely on is managed by third parties. Organizations can—and should—do some due diligence to ensure the platforms and applications they use are secure, but the only thing they truly have visibility or control over are the people, data, and security policies they use with or on those platforms and applications.
The response to COVID-19 has accelerated adoption of zero trust principles and technologies. Chase shared that over the next few years he expects that we will get to a place where zero trust network access is fully mainstream. He also highlighted the importance of establishing a world where we can seamlessly enable secure access to dynamic infrastructure without impeding productivity or placing any burden on the end user.
The Castle Is Empty
The very concept of zero trust is essentially polar opposite from the traditional perimeter defense approach to cybersecurity. Forcepoint chief product officer, Nico Popp, was joined by Sean Sweeney, chief security advisor for Microsoft, to talk about the underlying strategy.
Sean started the conversation with a description of the legacy model. He said that historically the approach from a cybersecurity perspective has been based on an enclave model. There was an inside or outside, and anything or anyone that was “inside” the perimeter was considered, by default, to be safe. Now, with COVID-19, suddenly everyone is connecting to network resources and accessing sensitive data from their kitchens or bedrooms over personal Wi-Fi networks.
Nico described the enclave as a castle. He said that for 20 years we have been building castles surrounded by moats—and that we trust anyone inside the castle. To carry the metaphor to the situation we find ourselves in today, Nico noted that there is nobody left in the castle. Everyone is now a separate castle unto themselves, working from their home networks.
Nico noted that since the COVID-19 pandemic began there has been a dramatic spike in discussions around zero trust network access. Organizations need to move to something that is more scalable and simultaneously streamline and simplify the user experience without sacrificing security. He also stressed the importance of understanding and monitoring user behavior and revealed that Forcepoint has a UAM (user activity monitoring) tool coming soon that will bring UAM to the masses and help organizations automate the process of assessing the potential risk of users.
The New Normal
It is already quite cliché, but this is the “new normal”. I don’t like the term for the same reason I have never liked calling something “next gen”—eventually there will be something new, and then what? The “new new normal”? The “next next gen”? Regardless of the naming convention or what we call it, the reality is that we are living in a different world today than we were in February of 2020, and zero trust network access plays a pivotal role in helping organizations protect data in a world where everyone is connecting remotely.