Why zero trust is the only way to ensure integrity of data, devices and users
From devices to networks, people and data, Cisco UKI public sector cybersecurity specialist Emma Velle explains why zero trust is the only fail-safe for protecting your organisation.
In the world of IT security, it’s fair to say that we’ve reached a point where complete trust no longer exists. Gone are the days of simply protecting the perimeter together with any specific areas we knew were vulnerable to risks.
Trusted zones are no more. Today, the entire network and beyond, is perpetually at risk, with nowhere safe from potential breaches.
Welcome to the world of zero trust
The concept of zero trust was originally coined by Forrester as far back as 2010. Yet nearly ten years on it’s even more relevant today, as our ways of working have changed beyond what we imagined might be possible or even desirable until relatively recently.
For example, while many of us have been taking our work laptops home with us for many years now, home working has taken on a completely different meaning and in many cases, is now the norm. And many of us routinely take our smartphones and tablets to the office, sometimes connecting multiple devices to employer networks.
That’s not the whole story either; we also connect BYOD and work equipment to public Wi-Fi on trains, buses, hotels, cafes and other business’ premises. Remote working, home working, mobile working, contractor working – they’re all the norm now for a large percentage of employees. And generally, they’ve all been a success. They have made us much more productive, enabling us to work from virtually anywhere, and this flexibility benefits both worker and businesses.
Yet these innovative working practices rely on high levels of trust. And alongside greater freedom and trust sits a growing and ever-changing threat surface.
And therein lies the dilemma.
Control versus freedom
Zero trust creates a scenario where the security landscape might appear to be out of control.
Yet while it’s prudent to be cognisant of the constantly evolving threat landscape – from network to devices to people – it’s vital that we don’t undo all the good work achieved so far and eliminate the substantial benefits derived from these flexible and now well-established work patterns.
A more rigid approach with restricted access to the network might seem to be the way to regain command – but it also has the potential to make many ways of working obsolete. This could impact heavily on our productivity and flexibility, taking us back to those restrictive work patterns of the past. And it won’t necessarily prevent a security breach.
Finding the balance
When considering security in a hyper-connected world, we must, therefore, think about the overall implications of the security controls, policy and posture implemented. And as the threat landscape continues to evolve, organisations need to think continually and during every activity in order to remain agile in their thinking, whether merging organisational estates or maintaining access to critical apps.
Complex environments like local government, the NHS and social care require particularly high levels of security, given the sensitivity of the services they provide. Unfortunately, public sector organisations are often at a less mature stage in their technology adoption than some other sectors, meaning an obvious need to find the fine balance between the two.
The architect of your own security
That’s why we advocate an architectural approach to security rather than a point product model. An architectural approach supports a zero trust environment by linking solutions to form one-layered, intertwined structure as opposed to a series of disparate products, which can result in gaps. Gaps which represent some of the reasons a zero trust environment exists in the first place.
Zero Trust means a different model for cybersecurity, where there are no trusted devices, systems, or people. However, it can still be a business enabler.
There is no single answer to security in a zero trust world; it’s more about exploring all possibilities and finding the right balance between freedom and control. What is acceptable to one scenario or industry, might be completely inappropriate for another – but that’s risk for you!