The onset of the pandemic threw nearly every industry for a loop, but few sectors saw the core responsibilities of their work immediately expand and diversify as much as cybersecurity professionals. Vast swaths of the global business community transitioned from primarily in-office workforces to widespread remote workingovernight, leaving cybersecurity units little time to adapt to changing risk profiles.
Protecting proprietary data in a remote work environment presents immense challenges for businesses because corporate security platforms have historically depended on employees having access to the company networkat a physical work location. Network-based security perimeters were once quite effective and can even support remote work through virtual private networks, but once a cybercriminal has access to the network, they have access to everything. In today’s world of complex cyberthreats, that standard simply isn’t good enough.
Fortunately, shortly after the pandemic upended security, the National Institute of Standards and Technologyformally announced a new cybersecurity framework built to handle new risks: zero trust architecture. By implementing a zero trust system, businesses can more successfully protect digital assets, support remote work without increasing risk and even enjoy side benefits to business objectives – let’s take a look at how this all comes together.
What is Zero Trust?
Zero trust architecture differs from network-based security systems in several ways. As the NIST puts it, “Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned).” Essentially, zero trust cybersecurity relies on authentication at every step of the process, asking users to verify their identity to access company assets as they do so instead of providing blanket access to all network users. In this way, a more appropriate name for zero trust architecture might be “affirmative trust architecture,” as the system is designed to continuously affirm a user’s trustworthiness – making it much more secure.
The zero trust architecture movement has taken off amid COVID-19, as companies are seeking ways to mitigate risk with workforces scattered everywhere – and far away from networks. As mentioned above, VPNs can enable some remote work, but this technology represents a simple expansion of the existing network. In other words, a cybercriminal could just as easily access all of a company’s data if they can infiltrate a VPN, whereas zero trust architecture would lock a criminal down to only files located at the source of the breach. With these benefits to risk in mind, it comes as little surprise that 87% of organizations plan to implement zero trust architecture in light of the pandemic.
Why Zero Trust?
Analyzing the upside of zero trust architecture should start with the central question: Is it more secure than most companies’ existing cybersecurity systems? And the answer is a resounding yes. For all the reasons discussed above, zero trust meaningfully improves a company’s ability to mitigate cyber risk for workers both at the office and at home. It can also serve the same benefits for governments, as evidenced by the Biden administration’s recent decision to deploy zero trust systems for its agencies by 2024. But the benefits go beyond what executives and leaders might see on the surface.
It’s rare that upping a company’s security can actually save money on the bottom line, but implementing zero trust architecture is one area where this may be true. Zero trust architecture makes it easier for organizations to monitor for and pinpoint data breaches, which saves time and money during risk identification. Another benefit of zero trust is to simplify compliance audits, reducing their scope and thereby cutting unnecessary costs.
In addition, by eliminating reliance on a physical network for data security and user authentication, some companies may be able to fully sell off or reuse real estate currently devoted to maintaining network servers. And by empowering secure remote work, some businesses may reach a point where completely shifting away from physical workspaces is both appropriate and achievable. Not only can this save money on property costs, but it can also open up recruitment for businesses – if you deploy a zero trust system, you can hire the most qualified possible security professional without needing them to relocate to a worksite.
Get Started Today
Zero trust architecture represents a clear upgrade for most companies’ existing security systems, enabling easier risk and compliance strategies without meaningfully increasing costs – and perhaps cutting them in some cases.
Transitioning to a new architecture is hardly as easy as a flip of a switch, but there are clear steps that companies can take right away to inch closer to zero trust. Having recently begun the zero trust journey at Aflac, I can speak personally to the importance of bolstering identity management processes within existing systems, so you know that you’re authorizing the right people at the right time with the access they need. This is a core tenet of the zero trust architecture and a worthwhile first endeavor for companies looking to make the change.
We can’t know everything that sits on the horizon of the post-pandemic business landscape, but we can be certain that cybersecurity will remain of the utmost concern. For that reason, executive leaders across the globe should begin charting a course to the zero trust future.