As perimeters of corporate networks blur, a new approach brings clarity to thwarting cyber attacks.
Companies now spend an abundance of time, energy, and dollars building trust with their various stakeholders—except, that is, when it comes to those accessing their computer networks. The goal there is to thwart cyber attackers, especially as they become ever-more sophisticated. And that requires erasing implicit trust from internal networks.
To get there, the familiar “trust, but verify” approach is being supplanted by “never trust, always verify” as expressed through a “Zero Trust” security framework, with a starting assumption that all network traffic, no matter its pedigree, may be malicious. The aim: restrict network access for all users and devices, apply security controls that hide applications not required by the user, and authenticate and continuously validate identities. The ultimate goal is to enforce a risk-based and contextually aware access control posture for all network connections to corporate applications and data, whether hosted on premise or in the cloud.
The Zero Trust concept represents a dramatic shift from the castle-and-moat approach, which focuses on fortifying the perimeter to deter outsiders from accessing corporate data, while implicitly trusting insiders. In the past, IT infrastructures had well-defined perimeters. But those boundaries have grown blurry as a result of evolving business models, shifting workforce dynamics, and complex and hyper-connected IT environments. Companies have migrated their applications from data centers to the public cloud, with endpoints expanding to include mobile devices, bring your own device (BYOD) technologies, and a proliferation of web-enabled smart devices (e.g., Internet of Things [ IoT]). Far from contained, the modern technology ecosphere can look dangerously ubiquitous.
CFOs can calculate the potential costs of not investing in Zero Trust. The average cost of a data breach has reached $4.24 million, an increase of nearly 10% over last year, according to a recent study.1 In instances where higher levels of remote work were a contributing factor, that cost rose to $4.96 million. High-profile ransomware threats that effectively lock users out of their own systems and demand hefty payments before giving them the key (or not) have drawn attention to the costly reputational—and possibly legal—ramifications of a cyber breach. Supply chain infrastructures, targeted through third-party software and service providers, have also been victimized. Moreover, the pandemic has likely increased finance leaders’ awareness of the cost of business disruptions, while having to equip a remote workforce highlighted the need to modernize their capabilities for enabling secure remote access.