Accessibility and security. Two words that keep most technology officers awake at night. Perhaps now more than ever before, businesses are forced to find new approaches to cybersecurity to keep data safe. As employees no longer report to an in-house network, keeping data safe across geographies and network lines has become the newest challenge.
Quick solutions brought to light many “good enough” answers that are now causing security nightmares. While companies tried to deal with certain issues caused by remote access limitations, they may have positioned themselves for the almost equally conceivable doom of cyberattacks. Especially as cyber attackers become more sophisticated.
Remote work during COVID-19 increased data breach costs in the United States by $137,000. And at the height of the pandemic, the FBI reported upwards of 4,000 security complaints per day. The list continues to grow of circumstances like these with mounting challenges for cybersecurity teams.
If there were ever a time to go back to the basics and redefine security and accessibility, that time is now. We’ve been relying on a vast and ever-increasing number of discreet security products like VPN products and Next-Gen Firewalls to the most recent use of SD-WAN (SASE) deployments. We forget that sometimes the absolute best security “tool” is a change in attitude. Rather than keeping everything in the castle or on-premises, the new workplace needs to be able to adjust security to zero trust.
Who gets in?
Bad guys out, good guys in. This long-standing principle has shaped how enterprises approach information security for decades. Anchored in the premise that IT environments can be protected from malicious activity by simply making the perimeter bigger, stronger, and more resilient. But as globalization grows and our networks expand through neighborhoods and countries, IT departments must reevaluate not just their tactics but their attitude.
For many organizations, adding layer upon layer of these defenses over an extended period of time has caused the implementation of many defenses reliant on legacy, on-premises, and cumbersome point solutions. Fortifying the castle one wall, one moat, and one drawbridge at a time doesn’t allow for much architectural progress.
During COVID, organizations that previously had tight control of the user’s endpoint found themselves struggling to provide access to necessary organizational data and push security updates from their central location onto the bandwidth-constrained home networks. Ironically, the tighter the pre-covid security stance had aligned to central control, the larger the problem they now faced.
According to research, enterprises already run 77% of their workloads in the cloud. While COVID-19 put this adoption in overdrive, the concept isn’t new—what is new is all the ways we’re interacting with cloud architecture, which is where IT must begin to find a “new normal” for internal and external networks. The new framework should become zero-trust.
Who has access?
Whether intentional or not, everyone who has access to the network can be compromised. This type of security framework requires all users, whether in or outside the organization’s network, to be authenticated, authorized, and continuously validated before being granted or maintaining access to applications and data. Zero-trust assumes that there is no traditional network edge—they can be on-premises, in the cloud, or hybrid—which is where many organizations are finding themselves now.
This type of security embraces the use of more precise and stringent network segmentation, creating what are sometimes called micro-perimeters throughout the network to prevent lateral movement. The goal is that when – not if – a breach occurs, an intruder can't easily access sensitive data by hopping VLANs, for example. Gartner predicts that by 2023, 60% of enterprises will phase out most of their remote access virtual private networks (VPNs) in favor of Zero-trust Network Access.
Policies and governance also play an important role in a zero-trust architecture since users should have the least amount of access required to fulfill their duties. Granular control over
who, what, where and when resources are accessed is vital to a zero-trust network.
Automate the rest
Along with the move to zero-trust, IT teams must also automate continual trust evaluations. From the banals of science fiction, we’ve always been afraid that machines will replace us. When in reality, they’re just here to make us better. For the last decade or so, artificial intelligence and automation have emerged as key partners to prepare infrastructures for the future. IT automation, or infrastructure automation, is the use of software to create repeatable processes.
The purpose of automation is to reduce human interaction with IT systems and make the remaining interaction completely predictable. A core component of a zero-trust network relies on trust evaluation—usually done by an adaptive access control engine. By combining logs from the trusted proxy with continuous analysis of behaviors, AI can help analyze and ensure access is maintained to only risk-averse users.
In many ways, IT automation is the foundation of the modern data center where servers, storage, and networking are transformed into software-defined infrastructure. When we discuss keeping data secure, the fewer human touchpoints, the better. By automating many of the security processes, once manual, tedious tasks can be automated, and therefore security is increased.
Who keeps the future secure?
Just like the workplace is changing, so is what we expect from our IT departments and partners. No one could have foreseen the way that our workforce would change—not just to more remote work, but to a truly distributed workforce capable of working anywhere. The reality we find ourselves in now will continue to force innovators to keep their networks secure and accessible. With an agile philosophy, IT teams should feel supported to walk the tightrope between security and accessibility with a zero-trust framework.
Karl Adriaenssens works in the Office of the CTO at GCSIT.
NetOps teams, like Spider Man, have great powers and great responsibilities. Increasingly, they are adopting a Zero Trust approach to network operations to help fight their battles.
Senior stakeholders who want to hold on to their CISOs must ensure that they have sufficient incentives and, more importantly, support to cope with the burden of risk that they are carrying.
The most alarming takeaway from Cisco’s new Cybersecurity Readiness Index report is that even after decades of having the importance of cybersecurity driven home, cyber threats are still taken too lightly.
