The word trust is a common theme in cybersecurity when it comes to network breaches, yet the idea of lack of trust is what’s highlighted in these breaches. A company’s feeling of safety and security can disappear in a nanosecond once their network has been infiltrated, and all control of networks and applications is lost. For all tech-forward organizations, the feeling of lost control becomes more universal with every new breach to hit the headlines.
While in some industries this scary feeling may be up and coming, in the network security landscape it is not a new phenomenon. Whether from malware, ransomware, or your classic unauthorized access network breach like we saw with Capital One, zero optimism is entertained concerning the safety of companies and individuals from hackers. Awareness of one’s level of a vulnerability is a prerequisite to safety and enables one to take pragmatic steps to secure their data.
Until recently, the organization’s IT and security teams primarily focused all their security efforts on fighting off different attacks on the perimeter. While this was the right approach when everyone worked in the same office, times have changed. Due to COVID-19 accelerating the “work from anywhere” approach, we need to rethink network security strategies and pivot them around the user instead of where the network is based.
With more employees working outside the physical office, there is a quickly growing number of endpoints for hackers to attack. In most organizations, the typical employee uses multiple devices to do their daily job. Is each device secure? The answer is probably yes – but you can’t be certain. With each unsecured every device, organizations’ networks are taking an unnecessary risk. When networks are breached, the process of understanding where and how access was gained is not instant and by the time you have your answers, it is too late.
IT and security teams need to change their approach, and instead of solely emphasizing perimeter security, transform their employees’ permissions and access policies. One of the most common mistakes organizations make is trusting their users when it comes to authorized access. When you provide unrestricted access to any user or device in your network, you simply open the gates for your organization’s network to be breached.
Once a user or organization is compromised, their credentials can easily be used to infiltrate the network, especially with different attacks. This presents the idea that organizations need to have better visibility when it comes to authorized user access to their network. So how can organizations trust their employees once again?
Can we trust our employees once again, and reduce their responsibility and impact as guards of the organization’s network against hackers? I believe we can, as humans are meant to be trusted even though in many instances human error puts that trust in doubt. People aren’t perfect, we all make mistakes, but we must account for them proactively.
A common approach that has gained popularity over the past decade for secure network access is by implementing the Zero Trust model. Zero Trust was originally proposed by Forrester in 2010, with the motto “never trust, always verify”. This is the idea that until the user can verify him or herself via authentication, they will not receive access to the network. Adopting Zero Trust is not a specific product or architecture, instead, it’s taking a more modern approach of setting up organization-wide guidelines inside the company’s resources.
By implementing the ZTNA model for secure network access, IT teams will have full control over who is granted access, enters and leaves the network at all times. For each network, resource or application, there should be a set of rules and policies in place enforced by the key elements of the Zero Trust model: multi-factor authentication, proper device management, limited privileged access and network segmentation using software-defined architecture.
Organizations that take the right approach with ZTNA can erase the concept of trusting in their employees and won’t fear to grant access. To achieve secure network access inside your organization you will need to have the proper principles implemented and distributed throughout the company. Treat Zero Trust Network Access as a manual for how organizations should strategize and “trust” their employees with the keys to the kingdom.