The traditional working environment of being confined to a desk in a central location evolved to accommodate remote work more than two decades before COVID-19. Since the pandemic, remote work has become common practice for more employees. The new digital workplace means that employees are accessing the corporate network via their home internet or public Wi-Fi, and often using their personal devices to do so. Security protocols must evolve with this change as traditional virtual private network (VPN) solutions can grant too much access and result in an increased attack surface that puts organisations at risk, according to Forescout.
COVID-19 has increased the threat landscape in Australia, with more targeted attacks on organisations from cybercriminals and nation-state groups. As well as remote work, the Internet of Things (IoT), operational technology (OT), and network-enabled smart devices introduce areas of potential compromise for enterprise networks. Businesses must consider the organisational risk of their IT environment, shadow IT, mobile, social and third-party platforms. Security architects need to re-examine the concept of identity in their organisation, with many now turning to a zero trust security model to protect sensitive resources.
Zero trust directly addresses the security challenges that have been amplified by the digital workplace, by applying the concept of ‘never trust; always verify’. Zero trust reduces a company’s attack surface by assuming that anything with access to their data is a potential threat, including users, devices, virtual infrastructure and cloud assets.
Steve Hunter, senior director, system engineering Asia Pacific & Japan, Forescout, said, “As businesses move away from managing corporate applications and networks on premise, the level of direct management control is reduced. Zero trust requires everything to be verified before a user accesses corporate data. To achieve this, everything in the digital world must have an identity including people, devices, channels, and hosting models. Gaining a full understanding of all IoT and OT systems on the network lets businesses make context-based segmentation decisions to reduce risk without overly impacting availability.”
Forescout has identified five business benefits of zero trust:
1. Improves visibility
To manage and control everything on the network, visibility is essential. A zero trust strategy aims to discover and classify all devises on the network, not just those that are operational or with endpoint agents installed.
2. Reduces CAPEX and OPEX
Improved security outcomes are often associated with increased cost and difficulty, known as ‘expense in depth’. A zero trust approach lets businesses consolidate multiple security controls across the network, reducing overall capital expenditure (CAPEX) and operating expenses (OPEX). Additionally, zero trust further reduces OPEX by simplifying security management through reducing the number of management consoles the network needs.
3. Reduces scope and cost of compliance
Zero trust networks are inherently segmented, therefore reducing the scope of regulations and compliance audits. This is because only the required network segment is in scope for regulations once it has been segmented. A segmented network makes auditing less complex and reduces the overall cost of compliance.
4. Supports more cohesive IT issue resolution
IT specialists across networks, operations, storage and security each have their own unique set of priorities. When incidents such as network outages occur, the inherent visibility and transparency that zero trust networks afford helps IT specialists work more cohesively to resolve the issue. This helps the organisation recover more quickly, reducing the time and cost associated with network downtime.
5. Enables digital business transformation
The segmented reality of a zero trust network means that security teams can support the introduction of new services with the necessary privileges and data protection, without hindering existing business and employee productivity. This means IT teams can confidently increase the adoption of IoT devices as zero trust reduces the IoT attack service.
Steve Hunter said, “The workforce is digital. Security and risk professionals must rethink the concept of identity and should expand their zero trust initiatives to include all devices to provide maximum visibility, leading to improved operational control and network security. However, businesses looking to adopt a zero trust approach should do so in phases to reduce business disruption during this process.”