The rise of the remote worker and uptick of businesses supporting flexible working has seen the adjacent rise in security breaches. Okta’s The State of Zero Trust Security 2021 whitepaper notes how identity-based attacks skyrocketed in 2020, with “almost 90% of web application breaches caused by credential abuse.” What’s more, “phishing was present in more than a third of all breaches.” In 2022, 39% of UK businesses identified a cyber attack, with 83% of those being phishing attempts, according to the Government’s Cyber Security Breaches Survey 2022.
It’s more important than ever for businesses to better protect their valuable information and in turn protect customers and employees. Traditional security approaches no longer meet the security needs required to support the new way of working. The UK Government report further reveals that 82% of UK business senior leaders regard cyber security as a high priority, seeing an increase from 77% in 2021.
These numbers shed light on the growing need for your security to meet the demands of today’s remote working environment. Businesses can achieve this by moving toward a more comprehensive and fine-grained contextually aware approach to access, rather than one that is solely based upon perimeter security. With that, it’s time to delve into the world of Zero Trust and what starting out on this journey means for your business.
Traditional security, such as the use of VPN and perimeter security are becoming increasingly open to cyber attacks. As businesses continue to adapt to remote based working, there are greater risks of data breaches across a wider variety of networks and devices. Zero Trust helps increase protection for apps and data stored in the cloud by focusing on the context of the access request – factors such as: where the user is logging in from; the type and status of the device being used for the request; the identity used and associated role; geo location, time of day, etc etc. By taking all of this information into account when granting access, businesses can better protect themselves, their employees and customers.
It’s no surprise that Google is a thought leader in this space, operating as a global engineering company at planet scale. Indeed, their own Zero Trust offering – BeyondCorp Enterprise (BCE) – is based in part upon learnings from the nation state attack it suffered in 2010, through the realisation that their security approach at that time had to be completely re-thought, along with their subsequent response and change in their internal security models. As such, BCE enables you to secure user access to your systems in a similar way to how Google secures its own.
The old model of automatically trusting users & devices which are “inside the network” makes little sense when your staff are working across a variety of locations and devices. Zero Trust means a corporate IT asset can only be accessed based on the context of the user, request and the device.
When thinking about the old way, you can imagine a castle and moat. Each layer of security acts as a layer of protection, like the moat and walls of a castle. Adding more layers, such as VPNs and firewalls, make it more difficult to get into your system, like putting more moats and bigger walls on a castle.
However, you need to also consider:
The Zero Trust way means to “trust nothing” when it comes to each and every request. There is no implicit trust because you’re within a certain network or provided your credentials somewhere else. Here in our new castle, each room is guarded and a different key is needed for each room you enter. Even if you’re allowed into one room, there’s no automatic access to any other room in the new castle.
I know what you’re thinking. This is all great but, why does it matter to your business? Well, Zero Trust is a top enterprise security priority with 82% of organisations claiming to be committed to migrating to a Zero Trust architecture according to a 2020 Forrester survey, and for good reason. Implementing a Zero Trust model can help you protect sensitive information and data, meet compliance requirements, user control and access, and faster detection of security breaches. It’s a concept fast becoming mandated at the highest levels. A White House Executive Order states all agencies have until the end of September 2024 to meet five zero trust goals: identity, devices, networks, applications and data. This is likely to have a knock on effect outside the realms of government, with the possibility of business requirements following suit in coming years.
For your employees, it allows them to only access the necessary level of information they need to do their jobs, for example, frontline workers who would just need to access point of sale systems, or contractors who may only need access to certain apps in order to get their part of the job done, without risking full access to unnecessary information.
While effective, it’s important to note that Zero Trust is not an overnight quick fix to your security concerns. Getting started in your journey to Zero Trust requires planning and the awareness that you will need to overcome challenges along the way.
Start by thinking about where you are now, does your business use perimeter security and VPNs to control access to resources and data? Once inside your business perimeter, do you know what controls are in place to protect your information?
When it comes to access, are you sharing unnecessary information or data with visitors, contractors, suppliers and partners who require only partial access to get their jobs done? With this, how does your business verify devices are secure before allowing access? The good news is, if you’re already using Google Workspace or Google Cloud, you already have the tools to start your journey to Zero Trust.
To support the new normal and increase in remote working, a Zero Trust security approach is important to consider. Workforces need to be able to access the information they need easily, regardless of where they are, in a safe way.
Traditional security approaches are becoming more vulnerable to increasingly sophisticated attacks and limit the ease of access with the use of VPN and perimeter security. This layered approach only requires one breach to expose the whole network. Whereas, Zero Trust validates each and every connection providing a more robust protection.
Wherever you are in your Zero Trust journey, CTS can help. BeyondCorp Enterprise is a Zero Trust solution, built on Google’s planet-scale network, which provides customers with simple and secure access to applications and cloud resources that offer integrated threat and data protection. There is no one-size-fits-all approach to Zero Trust so if you’d like to learn more about what this could look like for your business, let’s talk.
Are you ready to start your Zero Trust Journey? Get in touch today.
If you’re looking to find out more about Zero Trust, join CTS and Google Cloud on the 14th March where we will do a deep dive at our upcoming event.