Zero trust security framework: the benefits and downsides

Author: Mark Stone

No business can afford to leave security to chance. Even if you survive the initial financial setback of a data breach, the revenue impact may endure. In the U.S., 83% of customers say they would stop all business with a company for several months following a breach, and 21% will never return. And because there are many ways to defend against cyber attacks, it’s better to make an effort than hope to get lucky.

The zero trust security framework was introduced in 2009 as a new way of addressing network security. Its basic premise is that an enterprise shouldn't automatically trust any endpoint originating inside or outside its perimeters. Security teams should strictly limit access to the network—anyone or anything that can't be trusted shouldn't get in.

Zero trust networks enforce granular rules based on who users are, where they are and other pertinent details. If a zero trust network can't determine an endpoint's security status, it won't authenticate a connection until it can verify the user and their location. Once it authenticates the connection, the network applies a restrictive policy that only provides the network access that a user, machine or app needs.

First step toward zero trust

A zero trust framework doesn't happen overnight, and it's not something you can switch on and off.

The first and most critical step in preparing for a zero trust model is network segmentation—partitioning your network into smaller networks so that access levels are restricted, isolating the hosts and services that hold sensitive data. If, for example, a hacker accessed the part of your network that contained general company documents or spreadsheets, they would be limited to that segment of the network. Sensitive HR or finance data—the hacker's holy grail—would remain safely locked away in another segment.

Trust no one

With organizations adopting a work-from-home model to meet the challenges of today's social and economic landscape, more endpoints are connecting from outside the safe confines of the office perimeter. As noted in the Verizon 2020 Data Breach Investigations Report, most organizations have internet-facing assets spread across five or more networks. The more assets you have, the more difficult it is to manage them—and forgotten assets can create dangerous holes in your defenses.

Because the office perimeter now extends to user devices, establishing secure trust environments to safeguard customers' financial and personal data is vital—especially considering the massive surge in cybercrime related to COVID-19. In April, the FBI observed a fourfold increase in cybercrime reports, and the U.S. National Counterintelligence and Security Center issued warnings that "threat actors may exploit COVID-19 to steal the intellectual property of medical research organizations or sensitive data related to America's response to the pandemic."

Clear benefits — and drawbacks

A zero trust security framework is one of the best strategies for immobilizing unauthorized activity, whether it's accidental or malicious. The case for implementing such a hypervigilant form of access control is compelling: 68% of business leaders believe that cybersecurity risks are increasing, and they're right—hackers are attacking every 39 seconds.

In addition to attack protection, businesses can reap several benefits from implementing a zero trust framework:

  • Network errors are easier to fix because they can be pinpointed to an exact location.

  • Logging and monitoring are simplified thanks to clearer access rules.

  • Network performance is improved with the decrease in endpoint traffic to each subnet.

  • Breaches don't take as long to detect

The tangible advantages of a zero trust security framework go beyond security. Moving these architectures to the cloud minimizes operational costs and eases the burden on human resources and staffing. And by protecting your customer data, you mitigate potential financial losses and potential damage to your reputation in the event of a cyberattack.

The challenge for organizations is balancing privacy, protection and security with the availability of resources and the ability to do work. Because there are more users, more devices and more ways to access and store data than ever, achieving zero trust isn't free from pitfalls. If your company is heavily invested in digital transformation and IoT, for instance, a zero trust framework might be more difficult to embrace. It might even be detrimental to your business. Ultimately, you must synchronize your security strategies with your business objectives.

The time is now

The COVID-19 pandemic has transformed the way we work. Preparing for an uncertain future means adopting technology that can be scaled and adapted to meet unpredictable challenges. You must begin strategizing around and forming the technical building blocks so that you can scale and adapt your business accordingly.

Building a zero trust architecture doesn't have to be overwhelming. If your network isn't adequately segmented but you're still looking to optimize security, consider a software-defined perimeter, which can defend against network-based attacks to give you peace of mind.