Why zero trust is the way forward
Organizations worldwide continue to grapple with cyber security challenges as the pace of digital transformation, fast evolving business models, remote work and increasingly complex partner ecosystems unleash new opportunities for cyber attacks.
Traditional cyber security approaches relying on security ‘at the perimeter’ were adequate in a world where data and its users resided within specific, well-defined locations. With physical boundaries disappearing — and with increasingly sophisticated cyber criminals using ransomware and other destructive malware to target organizations — conventional cyber security approaches are being rendered obsolete, ultimately driving the need for modern solutions to protect critical assets and information.
More and more businesses are wisely turning to a zero trust mindset to restructure their cyber defenses.
What is zero trust?
A zero trust approach puts user identity, access management and data at the heart of cyber security. It is an evolutionary cyber security approach and model that has been developing in response to the ever-expanding threat landscape.
Zero trust is not a technology solution but a model and approach that requires a mindset shift based on three key principles: Assume nothing, check everything and limit access. Zero trust relies on an identity-aware, context-driven and datacentric approach to cyber security strategy and operations. With user identity and data value as its key component, zero trust enables secure access to data and resources via strong identity management, modern software defined networks, continuous monitoring and advanced analytics.
No one either inside or outside the enterprise network is automatically trusted — every user must prove their identity to gain access. Within the zero trust framework, even with a valid username and password credentials, users are denied access to the system if their device has not been validated or the required trust level is not met.
Zero trust is different from previous approaches to IT security. Today’s hyperconnected world has broken down traditional perimeters — enabling the fluid movement of data beyond organizational boundaries as multiple parties and devices access business data and systems from anywhere in the world. Add to this dynamic environment 5G technology, edge computing and hundreds of millions of emerging IoT devices and it becomes clear that conventional security approaches are fast becoming outdated and increasingly inadequate.
Businesses are waking up to a new reality of threats
While many businesses may not realize just how exposed they are to today’s cyber threats, an increasing number are showing a new sense of urgency in adopting a zero trust model.
By 2025, damages resulting from global cybercrimes are expected to reach close to US$1 trillion annually. Primary drivers prompting more businesses to wisely pursue the zero trust model for enhanced security include ongoing digital transformation that is revolutionizing business models and workforces, the proliferation of cloud-based services, and today’s increasingly complex supply chain networks.
Also accelerating adoption is geopolitical instability — including the ongoing conflict between Russia and Ukraine. As the geopolitical landscape continues to evolve, and tensions increase, organizations may be required to implement stronger, yet more flexible access controls should the need arise where a quick disassociation is required. Such instability could also further exacerbate supply chain disruptions, with organizations being required to change suppliers at short notice. All of this points towards a more flexible and adaptive model such as zero trust. And also, not to be underestimated is the impact of Section 3 of the 12 May 2021 US executive order requiring the federal government and associated agencies to adopt a zero trust architecture.
As the pursuit of the zero trust framework gains momentum, it is crucial that CISOs and CIOs work towards implementing organization-wide zero trust architectures that align with their operating priorities, risk management needs and technology capabilities.
In the race to better understand and manage today’s ongoing cyber threats, zero trust puts businesses in a predictive and proactive mode, providing timely contextbased analysis, insights and automated responses to potential attacks. With a zero trust approach, companies build an end-to-end cyber security approach that is ‘perimeter-less’ — providing protection for every aspect of the ecosystem, including assets, workloads and other resources.
A key requirement for zero trust is that the enterprise consistently collects, inspects and analyzes traffic across its entire ecosystem, ensuring maximum real-time visibility into both the data that users can access and the potential for malicious activity.
In addition to zero trust, businesses are looking to bolster security using the Secure Access Service Edge (SASE) approach, minimizing complexity among remote users by replacing data centers with internet-first network security, rather than relying on traditional technologies such as Multi-Protocol Label Switching (MPLS). Similar to zero trust, SASE aims to maximize cyber security via a layered and unified system of security measures and a software defined network on traditional network infrastructure. Zero trust and SASE can work together to significantly enhance an organization’s cyber security posture and more businesses are taking this approach.
Zero trust is a journey that continues to evolve
Make no mistake — organizations can no longer simply trust user identities, devices, workloads, networks or data. Zero trust is about knowing where your data is and controlling access to it via strong identity management, advanced analytics and a device inventory. KPMG’s zero trust model anchored in NIST 800–207 (Zero Trust architecture — 5 pillars) provides an enterprise-wide focus on each client organization’s unique cyber security capabilities and needs related to architecture, risk awareness and management, governance and compliance. Having it implemented helps organizations to be better positioned to detect unusual behavior and prevent communication with unauthorized apps, servers and accounts.
Courtesy KPMG Click here for PDF