If there were such a thing as a Cyberattack of the Month calendar, most months from the past two years would be filled with some big names: Travelex, the FBI and SolarWinds to name a few.
It’s not hard to see why. According to a McKinsey survey of executives, businesses “accelerated the digitization of their customer and supply-chain interactions and their internal operations by three to four years. And the share of digital or digitally enabled products in their portfolios has accelerated by seven years!”
Projects once deployed over years are now being deployed in days, enabling businesses to continue operations without disruption. At the same time, employees have been sent home to work en masse — with corporate devices occasionally being used by family members or personal devices being used for work activity, often on unsecured home networks — introducing new risks into corporate infrastructure.
So, how do you secure an elastic perimeter that’s being stretched thin while nation-states and criminal organizations, sensing blood in the water, ramp up attacks?
Now’s the precise time for organizations to take a new look at their legacy security infrastructure and multiple point products and re-think their security strategy. Post-pandemic, does it still make sense?
Enter the zero-trust security architecture.
Think of zero-trust as “real trust”
According to one analyst, post-pandemic, the global zero trust security market size is projected to grow from $19.6 billion in 2020 to $51.6 billion by 2026, a compound annual growth rate (CAGR) of 17.4%, well above the industry average.
In fact, IT leaders are increasingly adopting the zero-trust framework for their network architectures, but the concept comes with some challenges. First, zero-trust isn’t a “thing,” it’s an idea that, to some, has “Orwellian” overtones that lead to raided suspicions about everyone touching your network. It’s a mindset that, for the uninitiated, may complicate efforts to successfully sell and implement zero-trust into your or your customer’s environment.
If this is a hesitation issue for your clients and their stakeholders, consider this: If someone knocks on their door and there’s a level of unfamiliarity, would they let them in? Probably not. They’d ask for an identity to create “real trust” before allowing them to enter.
In addition, the network perimeter is no longer a “thing” either. Where walls were once put up around rooms and then buildings and then networks, zero-trust no longer presumes that anyone or anything within the perimeter is safe. For networks, endpoints, applications and users, trust must be granted — and even then, only after proper verification.
Overcome challenges with a holistic approach
The other challenges are strategic. In 2011, Forrester developed the zero-trust model and, in 2013, said that point solutions must die. Yet, in 2022c, we are still wrangling with an untold number of point solutions and wringing our hands over zero trust.
The truth is, there is no silver bullet. Zero trust requires a consolidated and holistic architecture that integrates a range of security functions and point solutions, along with analytics, automation and orchestration. It eliminates management and implementation complexity — and the security vulnerabilities that result from a mix-and-match approach.
Zero trust incorporates these tenets from the World Economic Forum:
- Be consistent on how you authenticate and authorize any users and digital resources, whether inside or outside the organization, and apply just-in-time access to authenticate requests at the time they’re made.
- Secure all communications regardless of the network location to ensure that the data being carried always remains protected.
- Apply access based on the principle of least privilege to ensure that only the access needed is provided and only for the duration of the request.
- Monitor and verify the security posture and integrity of all digital resources, including personal devices, to help improve access decisions.
- Always refer to the guiding principles of “Never trust, always verify” and “assume breach” to prevent or minimize the damage caused by a data breach or cyberattack.
As managed services providers jumped in to help save the day for many businesses in the wake of the pandemic, they will also be the ones to help organizations modernize their security efforts. With a continuing shortage of IT professionals overall — which is particularly salient for security and cloud professionals — your role as an MSP is that much more important now.