Zero trust is the best way to ensure business security by default
As companies move to the concept of hybrid IT, they discover that the traditional approach to access management and identity management isn’t able to keep up.
In the race to transform digitally, businesses are taking on smartphones, mobiles as well as machine learning and innovative, more agile ways of developing applications deployment, management, and deployment. Never before have businesses had to deal with the magnitude of technological changes.
The shift isn’t just about mobile applications and innovative new features, but. The changes extend to the core of the business with new microservice and cloud platforms which work in conjunction with older, static systems. “This creates a lot of challenges when it comes to managing systems across the enterprise, especially when it comes to security and access management,” says Scott Crawford, information security research director at 451 Research, which is member of S&P Global Market Intelligence. What can companies do to ensure that users and systems only connect to the correct systems and information?
There is no simple answer. With the increasing connectivity and dynamic nature of computing that spans disparate cloud platforms, microservices, cloud-based services and software components, how companies determine whether they can depend on systems or users to connect to a particular resource at any moment has become a tense. What can a user do to be trusted to carry out an act? In addition, with the increasing automation what can a server, work or other software element be trusted communicate between cloud systems and traditional systems that are on-premises?
More companies are moving towards zero trust. Zero trust can be described as a philosophy-based approach to access and identity management. It establishes that no software or user decision is trustable by default. That is, authenticate every single thing. Zero trust requires that all devices, users and applications be able to prove who or who they claim to be and have the right to gain access to the resources they want to access.
Companies are investing in instruments and solutions that allow zero-trust. Based on Markets and Markets Markets and Markets, the zero-trust market could reach 39 billion dollars by the year 2024. This is increasing from $16 billion in 2019. This is an annual growth rate of 20%..
Traditional identity management isn’t enough.
In the modern microservice and multi-cloud environments traditional methods of authenticating once and trusting forever aren’t working anymore. Any time new workloads or software services could call upon any resource to complete a job. “In non-zero-trust environments, once a user or device was inside, connectivity between resources was trusted,” says Colin I’Anson, a Hewlett Packard Enterprise expert. “Now, with zero trust, we’re not willing to do that. We want to authenticate in real time and to a much more granular level, and to access, any workload or functionality entities have to prove who they are.”
What is the best way to achieve zero trust? Enterprises need to authenticate their workers, users as well as data, and constantly monitor access for suspicious activity.
It’s much easier to write than do in modern businesses with hybrid and dynamic architectures. One of the most important steps to achieve zero trust between the systems and users is to automate and standardize the zero-trust authentication procedures whenever it is possible. This is is ideal for cloud-based environments.
Zero trust doesn’t mean installing one or the other network or security technology. It’s a totally innovative approach to how you approach security architecture.
Think about the recent purchase by HPE zero-trust company Scytale. Scytale started a series of initiatives to unite access control for complicated hybrid environments. The initial project, SPIFFE (Secure Production Identity Framework for Everybody) is the specifications for a set of standards which also define an API to establish trust between different the system and its workloads. Since it’s an API-based system, and not traditional keys generation or distribution procedures the attestation and authentication process of SPIFFE can be completely automated.
“SPIFFE puts in place the underpinnings for enterprises to utilize existing on-premises service authentication protocols [such as Kerberos and OAuth] with workloads running upon increasingly dynamic computing platforms, including cloud and containers,” states Sunil James, former Scytale CEO and now the senior director at HPE.
The second Scytale initiative is SPIRE which is SPIRE is the initial software version of SPIFFE. SPIRE’s components are able to be integrated with middleware providers, call layers, as well as hardware trust mechanisms like trusted platform modules as well as the security module for hardware. SPIRE is able to be utilized by any type of workload including Azure, Kubernetes, or an application that is running within the datacenter. “This enables a finer level of authentication, right down to the specific action of a user or workload that is requested,” I’Anson says. I’Anson.
Zero trust is a solution to real-world business issues
The claims of benefits from zero trust wouldn’t matter much in the absence of solving urgent business issues. Zero trust doesn’t just enhance security, advocates claim, but they also say that more importantly is that zero trust improves security in a cost-effective manner and ensure that security is as flexible and adaptable as the changing technological requirements of the environment.
Since zero-trust is a security mechanism that tries to figure out what users want to do and implement the appropriate security guidelines depending on the context in which an action is taking place as well as improve the user experience. “Zero-trust frameworks help enterprises get their security hands around an increasingly dynamic enterprise IT environment while simultaneously improving the user experience of their infrastructure, security, networking, and software engineers,” James. James.
If zero-trust attributes are documented as well as automated, the zero-trust system can easily scale to modern microservice and cloud architectures. Although it’s simpler to set up an zero-trust-based architecture in a completely cloud-based environment, it’s still not essential. Zero-trust in existing environments is still possible.
Discover everything about security. From trusted supply chain security to zero-trust, discover the most current information and news.
Effective zero trust implementations
“There are many discussions among our customers about what zero trust means to them and how to best implement it,” says Simon Leech, senior adviser for the global Security and Risk Management practice of HPE Point next Services. “But you want this discussion to be business led more than technology led. Zero trust is not about implementing one or another security or networking technology. It’s a completely new approach to the way you do security architecture,” Leech states.
“Taking a new approach to security architecture is going to require a very good understanding of your current state of operations and what your future state of operations will be, and build a business plan or business case from there,” Leech suggests.
James says that the initial step should be to determine where the company is at. “You need to first baseline your current state of operations, and you need to understand where you want to go,” James states. “Then you need to build your business case to be able to get yourself there.”
In the beginning, these business cases will likely revolve around security regulations and policies. “While considering those business cases, be certain to take advantage of the fact that zero trust provides the tools and capabilities needed to finely tune access, rather than just thinking in terms of username and passwords or access via basic network segmentation such as that obtained via VPN,” Crawford declares.
When thinking about identity as a function of granular user access as well as dynamic work might be a bit overwhelming for identity management, Crawford says it’s worth taking the time to think about it in the long-term. “How broad do you want this access to be? How narrowly defined does it have to be for a given target? What do you have to consider for things like regulatory requirements as far as who has access to what types of assets? Bringing identity and access management to this level will help to improve security and provide a better experience for everyone,” Crawford explains. Crawford.
“It does take some upfront work to get the most out of zero trust,” says I’Anson. The positive side is that the existing investments in identity management and maturity levels can help in the transition. “The more mature the existing identity management program, the easier the move to zero trust will be,” I’Anson says. “You can use existing LDAP implementations as a starting point because they already establish a good initial foundation of roles and identities.”
It is the next stage to find the cases of business that can be won with implementations. “One of the key things about zero trust is that it’s not attained by flipping a switch suddenly. You can come to zero trust by taking it step by step,” says I’Anson. “You build a business case, which could be a business unit or certain domain, and introduce zero trust that way.”
James is in agreement. “Spot potential quick wins and their associated use cases when implementing zero trust. Design and build a flexible architecture that can deliver value across those use cases,” James states. “Doing so delivers a stronger foundation that you can build upon rather than simply piecing together ad hoc components and technologies.”
This is why it’s essential to establish a common zero trust policy. “If you standardize, in two years, you won’t have five different approaches to zero trust spread throughout your organization, much of which probably won’t work together and won’t provide value,” James states.
When it comes to the initial security, Crawford advises organizations to make use of the authentication options available. “We’re seeing increased availability of what not that long ago would have been very sophisticated techniques for access control, including biometric authentication that comes packaged with a lot of commodity consumer endpoint technology. Take advantage of these authentication methods,” Crawford advises. Crawford.
As businesses race ahead in the digital transformation process, they’re taking advantage of diverse technologies to achieve success including cloud computing machines, containers, machine learning, microservices mobility, among others. If they’re to be successful in the race they’ll require an approach to managing identity and authentication that’s as flexible, agile and intelligent like the environments that they’re creating. Zero trust is a possible strategy.
Zero trust Leaders can learn from the mistakes of others
- The commitment of zero-trust needs the commitment to implement and maintain access and identity management on a more precise level.
- The security decisions you make are far too crucial to take without considering who is the access and identity rights of person making the request.
- Before making the switch to technology that is zero trust, organizations must establish the business case to ensure that all business units are on board.