April 12, 2023
Security compliance is a journey, not a destination. That journey took an unexpected turn in early 2020 due to the COVID-19 pandemic. According to the US Census Bureau, the number of people working primarily from home tripled between 2019 and 2021. The new “normal” for work increasingly involved remote work. Gone were the days of organizations’ in-office networks as a traditional security perimeter.
The shift to more remote work brought more security risks, including the increased attack surface. Bad actors are taking advantage – in 2020, cyber-attacks increased by 400% from pre-pandemic levels. The new “normal” requires a shift in security strategy from the traditional model.
Although the Zero Trust movement started well before the COVID outbreak, it gained increased traction due to the pandemic. In a 2021 Microsoft Zero Trust Adoption Report, 96% of the 1,200 security decision-makers polled indicated that Zero Trust was critical to their organization’s success. Statista states that in 2021, the global Zero Trust security market was nearly $23 billion and is expected to reach $60 billion by 2027. Organizations worldwide value the advantages of Zero Trust.
In a traditional security model, the security perimeter is the network edge, with threats only perceived to come from outside the network. Every user who has access to an organization’s network is inherently trusted. This is often described as the “trust, but verify” approach.
On the other hand, Zero Trust operates under a “never trust, always verify” approach. The security perimeter is no longer the network edge; it is the user’s identity. Users are required to prove their identity using multi-factor authentication to gain access to the network. Once inside, they must confirm their identity again to access applications and data. This approach acknowledges that threats can come from outside and inside the network.
Imagine your organization’s network is a house, and the various rooms are applications and data. Using traditional security, once you unlock the front door and step inside, every room and utility in the house is open to you. With no segmentation, it’s as if there are no doors inside the house. The inherent danger of this model is that once a bad actor gains access to the network, they have access to everything.
On the other hand, Zero Trust puts a door and lock on every room. Zero Trust requires you to prove your identity to unlock every room you need to use, despite being inside the house. Additionally, there are more smaller rooms than before. This is referred to as micro-segmentation. By dividing the network or “house” into smaller segments down to the workload level, attackers are prevented from moving laterally once they access the network. The principle of least privilege, a pillar of Zero Trust, would also dictate that some rooms are entirely off-limits to you because you don’t need them to perform your job. Zero Trust operates as if breaches are inevitable and should be mitigated before they happen.
Continuing with our example of your organization’s network as a house, in a traditional model, users can move around anonymously once they are inside the house. In the event of a security breach, an attacker can access applications and data without being tracked. It is unlikely that any monitoring tools are in place. This makes investigating a breach more difficult, as no audit trail exists.
Zero Trust dictates that each time a user needs to “open a door,” a log of the user, time, location, and device is created. This gives you greater visibility into the activities that occur within your system. With proper monitoring tools, your organization can flag and track suspicious activity as it happens, significantly reducing your response time in the event of a breach.
Starting with a CIS security assessment is a great way to baseline your organization’s security stance against a structured framework. Based on your industry’s compliance requirements, such as CMMC, we can assess your organization against established controls, producing actionable recommendations to help achieve or maintain compliance. Developing an incident response plan is another proactive step to prepare your organization to respond to a breach. Contact us today to chat with one of our experts.