Once upon a time, security professionals worked to secure the perimeter of the organization. The single perimeter that information technology (IT) teams spent the majority of their workday protecting with physical and technical controls has now disappeared. Hybrid work models and employer programs like bring your own device (BYOD) are examples of why efforts to secure an organization’s perimeter is an ineffective way to protect business IT systems and data assets – the idea of a single perimeter does not exist.
A more modern approach to information security considers all identities (e.g., users and devices) seeking to access systems and data and believes that the identities must be authenticated, authorized, and continuously verified. This approach to security is referred to as Zero Trust, a strategy that organizations with mature cybersecurity programs have implemented to keep pace with the evolving threat landscape and regulatory compliance requirements.
Out with the old
Perimeter-based network security is the old way of securing organizations. In the digital age, there’s no such thing as a single perimeter that IT teams can secure. Similarly, the idea that there is a network edge or that trusted networks exist is also outdated. Security is no longer location-centric. Cyberattacks resulting in data breaches are one of the primary reasons that security professionals have moved to a data-centric approach to security. Due to the remote workforce, new security threats, and increasingly sophisticated cyberattacks, it is necessary for organizations to transition to a Zero Trust Architecture. This transition, however, will likely require a change in an organization’s cybersecurity philosophy and a cultural shift in how IT teams think about securing an organization’s systems and the underlying data. It also requires the widespread understanding that not all MFA methods are equal. According to Sarah Lefavrais from Thales, “Implementing strong authentication methods in a constantly evolving environment is imperative to improve your organization’s cybersecurity posture and promote effective access control.”.
In with the new
The May 2021 Executive Order on Improving the Nation’s Cybersecurity states that the federal government must advance toward Zero Trust Architecture (ZTA) in accordance with the National Institute of Standards and Technology (NIST) guidance. In short, NIST states that ZTA is based on zero trust principles and designed to prevent data breaches and limit internal lateral movement. Zero trust principles focus on preventing unauthorized access and using the most granular controls to manage access once provided. Identity access and management is key to accomplishing alignment around zero trust principles.
The Cybersecurity and Infrastructure Security Agency (CISA’s) first of five pillars for the Zero Trust Maturity Model framework is, in fact, identity. Other authoritative references for implementing a ZTA also place significant emphasis on identity. Adopting an identity-based approach to zero trust is the best way for organizations to reach zero trust implementation goals.
Formulating an approach to identity and access management is one of the most important steps to consider as organizations develop a plan to implement a ZTA. Successful implementation of a Zero Trust Architecture requires strong identity and access controls, including modern authentication. Authentication and authorization methods fall within the umbrella term modern authentication, and they are necessary to manage the identities (e.g., users and devices) that access an organization’s systems and data. Identity access and management ensures that information is accessed by the right users, at the right time, and for the right purpose.
Bridging the gap for a secure future
Organizations moving forward with a zero-trust approach are demonstrating a willingness to close any IT security gaps. As businesses continue to learn more about what their customer expects and demands, they will need to develop plans to keep pace with the expectations and demand. Of course, security must be part of these plans. It will be essential to invest in tools and services that will support their security goals in the future, which will undoubtedly involve more touchpoints, more integration, and more access demands. Investing in upskilling employees will demonstrate the organization’s commitment to prioritizing futureproofing the organization.
With initiatives like Mind the Gap, which recognizes the issues related to the digital divide and encourages digital inclusion, more and more users will eventually access products and services using the Internet. Identity access and management, especially strong authentication protocols, will prove to be even more important for users whose security practices and cyber hygiene is less mature than a user who has had ample opportunities to develop and mature their security practices and cyber hygiene.
Perimeter-based network security is no longer a viable approach to securing IT systems and data. Because the single perimeter of the past has been completely eroded, mature organizations adhere to one of the most foundational tenets of Zero Trust, which is that nothing is implicitly trusted. Trust nothing and verify everything. Transitioning to a Zero Trust Architecture will help ensure that organizations protect their IT systems and the underlying data using strong identity and access management. This helps to build employee, customer, and industry trust in an organization’s services. Safe, trusted digital products and services, as well as confidence that an organization diligently secures its data, helps positively support the entire digital ecosystem and helps to secure the future digital economy.