You’re standing in front of three doors. Door number one is big, tall, and sturdy. Nothing fancy, but seemingly safe. Door number two has more bells and whistles, fancy engravings, and twice the number of locks. Elevated security for sure, but you suspect more form over function, so you’re not entirely sold. Door number three features a winning combination of practicality and advanced locks. This one has to be the best choice, right?
You can’t see behind any door, so your choice is limited to inference. That’s frustrating. Today, choosing the right security solution for your business is no different. Bells and whistles can distract us from our core objective of ultimate, unwavering security. And old reliable doesn’t seem capable of repelling an onslaught of modern threats and distributed exposures.
Organizations need to make the right network security choice to successfully secure their networks in a highly dynamic, distributed world where it’s not a matter of if intruders will get in, but when. Turns out, the right approach is as much about philosophy as it is about technology: trust no one. But, before we get into the relationship between trust and better security, let’s begin with a review of how we got here in the first place.
Security is Serious Business
Security has been elevated in every boardroom because no organization is safe from data breaches and potential malpractice. This is the result of an obvious reality: apps are the lifeblood of modern businesses, and businesses—and their apps and users—are increasingly distributed. That means sensitive data is everywhere, and all of it is harder than ever to protect.
With this much on the line, it’s imperative that we rethink how we secure our networks.
My Network is My Castle
Traditionally, security was about the perimeter. Trust those inside the network, don’t trust those outside of it. The network was like a castle. Its walls defined the defense. You could enter through the gates if you were deemed trustworthy. Once you were in, you moved freely.
Before remote work and the SaaS-ification of apps, employees worked on-site in company offices. The perimeter was well-defined, which made it easier to enforce security policy without interfering with productivity.
Ever-more Distributed Risk
Things changed over the last decade as technology-enabled remote work and shifting societal trends encouraged it. Then COVID came and greatly accelerated the extinction of the moat and castle model.
Employees expect to work anywhere, on any device. Each day they connect to multiple private and public clouds and SaaS applications, expecting the HQ experience. Organizations now need to provide workspace choice as a service: they need to deliver performant access with the same data center-grade security you’d get in the office.
Apps themselves have become distributed, both inside the network and among clouds. Microservices, containers, and Kubernetes increased the complexity of app-to-app communications. All of this increased the attack surface for enemies outside and inside the gates while making the protection of dynamic communication flows increasingly complex. When perimeter defenses fail, bad actors can get inside, hide among the large volume of traffic, move from server to server with impunity, and do the most damage.
The massive decentralization of networks, apps, and users—inside clouds, among clouds, and between users and clouds—suggests the perimeter no longer exists, at least not in its traditional sense. As a result, the perimeter-only defense model is now obsolete.
Time to Turn to Zero Trust
In a world full of risk, where dynamics, distribution, and complexity rule, the best security begins from a basis of trusting nothing. Between users, endpoints, and clouds, it’s about trusting no user or endpoint, prima facie. Inside and between clouds, it’s about trusting no app, until proven otherwise. The basis of the Zero Trust model is identifying trusted individuals (at the edge) and trusted applications (inside and among clouds), and assuming everything else may be compromised.
Knowing this, the technologies you’d use to achieve a Zero Trust security paradigm become understandable: Technologies that identify trusted applications inside and between clouds and grant them privileged, defined access. Solutions that identify trusted individuals at the edge and do the same. Services that protect endpoint devices and network workloads, and are close to both. And intelligent sentries that examine the flow of traffic inside and among clouds, and between users and clouds, continuously looking for known bad guys or patterns that signify something is not right.
Zero Trust Everywhere as a Service
Security is a boardroom-level priority because data breaches can be utterly catastrophic. Networks, apps, and users are now massively distributed, and the traditional perimeter no longer exists. Organizations need to re-think how they do security and embrace frameworks like the Zero Trust model to enjoy the benefits of modern applications and distributed work without the penalties.