It used to be that the strength of your security depended on the strength of your firewall. But today’s cloud platforms and SaaS solutions have obliterated the ability to rely on firewalls and VPNs. The security perimeter has expanded with cloud-based solutions and remote workforces, requiring changes to the traditional security model. Identity-centric security based on the Zero Trust model (where no one receives automatic trust) secures the expanded perimeter.
As you might expect, network design evolved to meet the challenges of this new perimeter. Today’s organizations need a Zero Trust network architecture that facilitates zero standing privilege. Here’s what that network architecture looks like and how an identity-based perimeter functions with it.
With traditional network architecture, VPNs provide a secure entry point for access. Employees were inside, and everyone else was outside. Now that employees are working from anywhere on a multitude of company and personal devices and accessing cloud-based platforms and software, there is no longer an “inside” and an “outside” — the boundaries have become incredibly porous.
Additionally, the VPN doesn’t prevent insider attacks, and it doesn’t allow simple and secure access for contractors and partners. Companies no longer need to know where people are and what device they’re using, but rather if the user, device, or application seeking access is actually an authorized identity. Gartner predicts that by 2023, 60% of enterprises will phase out most of their VPNs in favor of Zero Trust network access.
Zero Trust network architecture consists of the entirety of an organization’s valuable data, assets, and applications. To implement Zero Trust, it’s crucial to identify what these resources are, who your users are, what each user needs to access and how, and the frequency with which they need to access each element. With this information, you can then establish policies, set up automation, and employ AI tools that evaluate identity and make risk-based access decisions.
Because security now hinges on identity, let’s explore how identity works within the Zero Trust framework.
Zero Trust Access according to NIST SP 800-207
The foundational premise of Zero Trust is that access is never assumed. Standing privilege no longer exists. Privileged access is evaluated (and reevaluated) whenever a user (or device or application) seeks access. Each time an access request is made, the privileged access management (PAM) system evaluates contextual information such as job role, peer permissions, request history, and other identifiers to determine whether or not to grant access. If activity is deemed questionable, an alert goes out to an admin for further scrutiny.
VPNs are quite vulnerable to compromised credentials and insider attacks, whereas security based on identity, by nature, are significantly less vulnerable and the impact is minimized. Because Zero Trust assumes all traffic is dangerous, no one is given the metaphorical key to keep for use whenever desired. Instead, access is granted only if the identifying information checks out. Ditching the VPN in favor of identity-based security allows organizations to limit the damage from insider attacks, reduce the risk presented by compromised credentials, and facilitate secure access for employees working from home.
Traditional security strategies do a poor job of protecting access to web servers, cloud services, and other publicly-available items. Because Zero Trust doesn’t depend on firewalls, each of these cloud-based items can be kept secure from anyone and anything that doesn’t pass the identity evaluation. Additionally, access is granted only for the amount of time necessary for the user to complete the task at hand (which could be a matter of hours, weeks, or months). Because access is time-limited, employees who leave for another organization will no longer be able to access the CRM, PM tool, etc. after they’ve left. And if an attacker uncovers access credentials without being caught by the security system, they won’t have access for long.
With the right security solution, monitoring applications and devices can be automated to flag possible attacks. Learn more about stopping attacks cold.
Zero Trust architecture requires constant monitoring. All traffic, from users to devices to applications, must be reviewed and evaluated every time an access request is made. This is true for both internal and external traffic. While outsiders cause 70% of data breaches today, insider threats are substantial. And the cost of insider threats is on the rise, with a 31% increase from $8.76 million in 2018 to $11.45 million in 2020. The breadth of monitoring would be overwhelming for administrators, so you need a security solution that uses heuristic-based rules and automation to watch for possible attacks.
While VPNs and traditional network architecture will soon be things of the past, the reality is that the future is already here. Today’s remote work revolution and cloud-based platforms and tools require an overhaul in the way we think about security and build for it.
Access based on identity is the surest way to prevent a breach, either external or internal. But to implement identity-based security, you must have a thorough knowledge of all your assets, data, and applications. You must also be able to analyze activity and continually monitor for out-of-the-ordinary requests. A Zero Trust network architecture and a powerful security solution based on automation and AI will allow you to implement Zero Trust with less risk.
Find out how Saviynt facilitates Zero Trust and learn how you can reimagine security for your entire workforce at a time when identity is the only security perimeter left. Watch this on-demand webinar, Securing Your Remote Workforce with Microsoft, Saviynt, & Avanade.