The past year has been a period of unprecedented change in the IT and networking environment. Pandemic-related restrictions on office-based work forced companies to shift to heavy, in some cases, near complete, reliance on remote working almost overnight. Most businesses did not have the right infrastructure—or enough of it–in place to support a smooth shift to the very different types of networks necessitated by the change in the work environment. Cyberthieves have been very quick to pivot their operations to exploit weaknesses in new setups that were spun up overnight and, in some cases, held together with the digital equivalents of chewing gum and baling wire.
Cybercriminal activity has included:
- An explosion in the number of attacks on RDP ports used for remote access (from 256,000 per day in January 2020 to over 1.4 million per day by April 2020)
- Increased exploitation of software vulnerabilities, since users working from home are often slow to install software updates and security patches
- An increase in the volume and sophistication of phishing and spear phishing attacks, especially those delivering ransomware
The Need for Zero Trust
The best way to successfully defend against the different cyber threats in today’s environment is to adopt a Zero Trust security approach. Zero Trust is not a single program, solution or tool, but rather a radically different cybersecurity philosophy. The traditional approach, which is now largely obsolete, was to have a very strong perimeter protecting a company’s in-house network. This was known as “a castle with a moat”: Once an individual was inside the castle, they were assumed to be a “good guy” and access whatever they wanted, while all outside were considered to be dangerous and scary.
Today, however, there’s a “Complex New Normal of Network Access.” Users can be in the office or working remotely, using data and IT resources that are on the company network or in the cloud. This creates four different scenarios that require protection, with very different security implications for each one. It’s easy enough to implement protections for any specific scenario, but providing consistent security processes across all scenarios, without frustrating users, overloading IT, and creating gaps, is a huge challenge.
What Zero Trust does, regardless of where users or resources are, is to assume that no user and no resource is “safe.” User identity and their need to know are continually verified. Users are permitted to access only the information and resources they need to do their jobs. All websites and emails are all treated as potentially hazardous.
A Zero Trust approach has many advantages. Because it does not depend on users always doing the right thing, or on being able to detect and identify all threats in order to stop them, protection is simply always in place.
A comprehensive Zero Trust approach includes many different elements. Essentials include:
- Robust identification and access management using multifactor and other strong authentication techniques
- “Least privilege” access, restricting user access to only the limited set data and resources they truly need to accomplish their tasks
- Microsegmentation to limit lateral movement within networks and clouds
- Remote Browser Isolation to keep all web-based content away from endpoints, since it cannot be verified as safe
Implementing Zero Trust
Clearly for Zero Trust to be effective, it must be implemented throughout a firm’s IT infrastructure and resources, within owned networks and on the cloud. Zero Trust security is a strategy, and the protections mentioned above are a great place to start.
But implementing Zero Trust can be a challenge for midsize enterprises (MSEs) and small businesses. The comprehensive Zero Trust solutions that are available today were designed for Global 2000 organizations, are very expensive, and place heavy demands on IT resources, putting them out of reach for most MSEs. Yet MSEs have just as a great a need for Zero Trust protection as large enterprises. The risks are real, the dangers are present, and in all likelihood, the post-COVID world will feature lots of remote work and increasingly sophisticated cyber criminals, often with state backing.
The answer for small and midsize enterprises is to “head for the cloud.” A cloud-based, comprehensive Zero Trust solution can protect users and provide a consistent experience wherever they are located, and regardless of what resources they use, and whether they are on-premises or in the cloud. And if done well—that is, designed to be simple and to fit MSE budgets–it can provide affordable Zero Trust protection for midsize enterprises and small businesses.