2023: The Year for a True Zero Trust Architecture (and Mindset).
Zero Trust started as a philosophy a decade ago as an alternative to network-based perimeter security, and now it is the hottest term in the industry. However, merely debating about ‘Zero Trust’ won’t make it happen. Zero Trust in modern enterprises is still a scattered puzzle rather than a sustainable architecture that lacks a unified foundation essential to turn this conceptuality into reality.
The 2022 identity-centric cyberattacks (Okta, Uber, Cisco, and many more) emphasized why, in 2023, Zero Trust Architecture (ZTA) could no longer be a hesitant webinar topic but a substance security standard for every organization in the modern era.
The Zero Trust model is being embraced globally to combat the ever-escalating threat landscape. Okta’s latest ‘State of Zero Trust’ report found that 97% of companies either have a Zero Trust initiative in place or will have one in the next 12-18 months.
Zero Trust is becoming one of the most reliable and adopted digital security frameworks as more businesses implement its principles to eliminate business risks, reduce complexities and costs, and enable overall organizational stability, productivity, and growth.
However, despite the increasing adoption, 63% of organizations face gaps in their Zero Trust initiatives, struggling to operationalize Zero Trust and implement its principles and practices constantly and comprehensively.
The Evolution of Zero Trust
The traditional site-centric “moat-and-castle” architecture for security goes back to the early ’90s when the main challenge was to connect between sites without worrying too much about security breaches. During these years, different security tools, such as FW, NAC, IPS, and many others, were gradually introduced to layer this approach, resulting in a Defense-in-Depth (DID) security framework.
However, with innovation, digital transformation, and cloud migrations, cyberattacks increasingly became a global threat. In fact, cybercrimes are now anticipated to cost the world $10.5 trillion annually by 2025.
The evolving global threat sparked Forrester’s analyst John Kindervag, back in 2010, to prophesize a novel notion for security called “Zero Trust” — a radically different identity-centric approach to information security.
During this decade, the massive expansion of work-from-anywhere, multi-cloud, and SaaS applications dramatically expanded organizations’ attack surface and business risks. Unsurprisingly that resulted in devastating cyberattacks, which has urged the need for Kindervag’s approach and driven the final nail in the coffin of the traditional 30-year-old perimeter architecture.
Then in late 2019, Gartner came out with the SASE (Secured Access Service Edge) concept, which converges organizations’ networking and security into a single, cloud-delivered service model that includes Zero Trust Network Access (ZTNA) as one of its core elements.
In 2020, NIST published SP 800-207 as a unified framework, introducing a fundamental shift into a new identity-centric era called ‘Zero Trust’.
After at least 2,354 ransomware attacks on local governments, healthcare facilities, and schools in the United States in May 2021, the Biden administration published an Executive Order on improving the Nation’s Cybersecurity (EO #14028), which mandated the adoption of Zero Trust principles for all agencies by 2024.
It triggered a wave of change, potentially affecting 1 Billion users globally, enthroning Zero Trust to be the future of cybersecurity. Recently the DoD released a Zero Trust strategy guide seeking to unify efforts to achieve a robust defensive posture against adversaries.
What is Zero Trust Architecture (ZTA)?
In order to understand what Zero Trust Architecture is, it is essential to clarify what it is not. Zero Trust cannot simply be adopted by implementing new technology, nor is it a point product or service you can go out and buy.
Zero Trust is a security strategy that proposes to secure an organization’s DAAS (Data, Applications, Assets, and Services) by eliminating implicit trust and by continuously (and proactively) validating EVERY digital interaction or transaction at all stages.
Rooted in the principle of “never trust, always verify,” Zero Trust is designed to comprehensively protect modern organizations by effectively enforcing its three basic principles:
1) Explicit Verification – Verifying explicitly every(!) single digital Interaction or transaction.
2) Least Privilege Access – Limiting access for every identity only to the absolutely necessary privileges to do their job.
3) Assume Breach – Assume that every identity has already been breached.
Why 2023 Must be the Year of ZTA
IBM researchers warned recently that cyber attackers are devising new techniques to exploit innovative controls such as MFA and EDR, making 2023 a highly challenging year for security teams and security leaders.
In 2022 it wasn’t just the recent Uber breach in which the victim’s MFA was compromised; at the core of the vast majority of cyber incidents was the theft and abuse of legitimate credentials. 80% of the attacks leveraged some form of identities and credentials to gain initial access, move laterally, and eventually exfiltrate or encrypt sensitive data.
According to Accenture, in 2023, we expect to see more tactics that involve legitimate access to a corporate network that no longer involves deploying malware. The focus will be on living-off-the-land techniques to exploit what is already available in the victim’s environment.
Once considered a ‘silver bullet’ in the fight against credential abuse, it hasn’t taken attackers long to bypass identity-centric ‘Zero Trust’ controls such as MFA, and they will focus on doing so in 2023. Current Zero Trust postures rely on fragmented and tactical elements such as ZTNA, MFA, Device health, and more, but they are seen as a stand-alone ‘set and forget’ solution.
Blindspots around accessibility, privilege, and usability continue to be amplified by increases in the ever-expanding XaaS estate (Cloud infra, SaaS, PaaS, and more). Today and in the future, point Zero Trust controls such as MFA, EDR, and more should be viewed as one component of a broader zero trust architecture, where behavior-based analytics is central to understanding identities’ behavior and authenticating the actions taken using certain credentials. A true holistic ZTA is the ultimate solution for all today’s challenges.
ZTA is a purposed-built comprehensive security ecosystem that harmonically and agilely adapts to the business according to risks-based parameters to deliver the best cybersecurity mesh to gain constant resilience against today’s sophisticated and multi-layer cyberattacks. 2022 urged the need more than ever – to implement ZTA holistically, but most importantly, maintain it constantly to work altogether.
The Benefits of a ZTA
Zero Trust delivers significant security improvements and reduces costs and complexity while providing more peace of mind for business and IT leaders, cybersecurity teams, and end users. Below listed are some of the benefits of implementing a ZTA comprehensively:
- Reduced Business Risks
- Zero Trust security reduces the risk of a data breach by 50%.
- Reduces the attack surface by up to 150%.
- Minimizes the likelihood of regulatory fines and compliance breaches.
- Reduced Costs and Complexity
- Accelerates and enables security vendor consolidation.
- Reduction of the resources required for audit and compliance management by 25%, saving over $2M.
- Reduction in spending on legacy software and infrastructure by over $7 million. The composite organization saves $20 per employee per month by eliminating now-redundant security solutions, including endpoint management, antivirus, and antimalware solutions.
- It enables the transition from CAPEX to OPEX-reducing the need for enterprises to acquire additional Hardware.
- Improved Workforce Productivity & Experience
- Increases the efficiency of security teams by 50%.
- Accelerates the process of setting up end users on new devices by 75%.
- Reduction in effort required to provision and secure new infrastructure by 80%.
- Load reduction of security and IAM-related help desk calls by 50%.
- It makes it easy for frontline workers to gain access to business-critical applications and systems of record – saving more than three business days per year.
How to Get Started with ZTA?
When designing a ZTA, your security and IT teams should first focus on answering two questions:
- What are you trying to protect?
- From whom are you trying to protect it?
This strategy will inform the way you design your architecture. Following that, the most effective approach is to layer technologies and processes on top of your strategy, not the other way around.
Mesh Security is the industry’s first complete Zero Trust Posture Management (ZTPM) SaaS platform, a single source of truth that enables companies to implement and monitor a unified ZTA on top of their existing stack. Without using agents, Mesh seamlessly maps a company’s entire cloud XaaS estate in minutes, providing comprehensive contextual visibility, control, and protection of the ‘Everywhere Enterprise’.
Thanks for this great article
Great Read, Thanks!