What is Zero Trust?
Herbert Hannah
Chief Executive Officer, ibm/SEIMless Communications Technologies, Inc.
Whether it’s large-scale breaches of customer information, insecure email sharing or misconfigured or exposed cloud services that expose your company’s intellectual property (IP), there’s a growing need for a Zero-Trust strategy that includes data protection. This trend will continue as cloud computing and integrations like IoT become more widespread.
According to 2019’s Internet Trends report, more data is now stored in the cloud than on private enterprise servers or consumer devices—but fewer than one in 10 cloud providers encrypt data that’s at-rest within their service. Similarly, one recent study found that roughly one in three networks has exposed passwords, while three in four have poor control over account access.
It’s become increasingly clear that network security, while valuable, no longer provides enough protection for sensitive data in addition to not accounting for internal threats. Zero Trust is perfectly poised to address this gap because it assumes that your network security is insufficient.
What is Zero Trust?
There are many definitions, sometimes conflicting, of Zero Trust. Put simply, Zero-Trust security is exactly what it sounds like: it’s a policy of maintaining zero trust toward all users, providers and network traffic—even those inside the network.
It’s not, however, a set of specific tools or a type of security technology. It is a cybersecurity strategy—a mindset that serves as the foundation of modern security. Under Zero-Trust policies, you take network breach as a given and assume that all activity is malicious. Zero Trust asks: how do I best protect my assets if I can’t trust the network itself?
Zero Trust operates under the guiding principle “never trust, always verify.” All users, platform providers and network traffic are treated as potential threats, so additional measures are needed to mitigate risk.
Simply put, Zero Trust means that only the content creator and authorized recipient have access to the sensitive content.
What is a Zero Trust Network?
Traditional network security relies on a secure perimeter. Anything inside the perimeter is trusted, and anything outside the perimeter is not. A Zero Trust network treats all traffic as untrusted, restricting access to secure business data and sensitive resources as much as possible to reduce the risk and mitigate the damage of breaches.
Zero Trust Network Security: The Basics
Companies were protecting computers with a type of perimeter security well before they were networked together. Companies with mainframes could protect them simply by controlling who had access to the room where they were installed. Once they authenticated a user (i.e. make sure they had the right to be there) they could trust them with access to data, programs, and so on.
As organizations began to connect networks, they began to use increasingly sophisticated techniques to control access. Logins and passwords could hold users accountable for their actions on early computer networks, which connected government and academic researchers. However, it soon became obvious that computers were vulnerable to attack. Engineers developed firewalls to filter traffic entering and exiting networks, multi-factor authentication, and other corporate security tactics to keep unauthorized users out.
But perimeter security is no longer sufficient in the cloud age, because networks are fluid. If you log into a corporate network on your phone, for example, your traffic goes through a cell tower or WiFi and multiple servers before it reaches the network. If one of those servers is broken, your phone has a virus or malicious app, or a hacker has access to your WiFi, your perimeter security could let them in with you.
A Zero Trust network mitigates this risk by treating all network traffic as untrusted. Bad guys can’t just slip past the guards and have free reign — they’re subject to rigorous network security every step of the way.
Benefits of Zero Trust
1. It’s a framework to guide security resource allocation.
The vast majority of companies are aware of the need for increased security. Zero Trust provides a framework for security updates and modernization efforts, helping you prioritize which steps are most essential and build in more data-centric protection.
2. You can monitor all your data and log detailed user activity.
Zero Trust requires granular visibility. So, implementing a Zero-Trust framework does more than increase security; it also aids your data management and accessibility efforts by providing the visibility into connected endpoints and networks that 40% of organizations lack.
To establish Zero-Trust policies, you first need to identify and catalog:
Where all your data currently resides.
What their current protection is.
Who has access privileges for that data—and whether they should.
Which devices can see the data.
Who is actually accessing that information.
From there, you can create a risk assessment for your data and increase security as needed. In other words, by adopting Zero-Trust security methods, you will by default audit your current data practices and establish the most important next steps. You’ll also identify user activity around that data and restrict it if necessary. This increased awareness and better management policies are an invaluable benefit of the Zero-Trust approach.
3. It enables cloud efficiency without increased risk.
Despite the risks, the cloud is far more efficient for collaboration and dynamic user bases. Zero Trust helps you capture the benefits of the cloud without exposing your organization to additional risk. For example, when encryption (PIET) is used in cloud environments, attackers often attack encrypted data through key access, not by breaking the encryption, and so key management is of paramount importance.
For instance, even if a cloud provider offers end-to-end encryption, they may also maintain and have access to the keys which still requires a level of external trust. A Zero-Trust approach to key management would instead require that an organization manage their own keys, preventing third-party cloud provider access.
4. It’s a low-cost, high-value shift.
There is a misconception that a shift to Zero Trust is a significant burden on your resources because it requires removing older infrastructure. So, it’s no wonder that most organizations don’t adopt this strategy because of the perceived costs involved. However, Zero Trust helps decrease your risk—and your worries—without significant technology costs. This is especially relevant for companies that struggle with legacy IT systems, built without much security and granular access control inside the network.
By starting with your most sensitive data, you can prioritize your security updates with simple steps such as segmenting your valuable information and applications. A focus on protecting your most critical data first helps make a shift to Zero Trust more attainable —in terms of both cost and time.
This approach—the “crawl, walk, run” style of Zero-Trust security—means that you’ll be able to limit or spread out your investment into new technology. Rather than purchasing an entirely new security system for all of your data, you can enhance your old systems with new processes and tools.
Zero Trust and Email Encryption
Enterprises generally deploy email protection solutions to meet three important requirements: regulatory compliance, corporate privacy, and surveillance prevention. Any modern enterprise will have critical data, whether it’s personally identifiable information (PII), protected health information (PHI), or intellectual property, that they need to share with trusted collaborators while keeping it shielded from unauthorized third parties. Zero Trust security enables this by separating email content from the keys that secure it while encrypting the data from end-to-end, so that only the initial creator and intended consumer have access.
Portal-based encryption solutions don’t meet these requirements. Portals are based on transport layer security (TLS), which protects the network connections through which emails travel. However, since the data itself is not protected, it may be exposed at many points along the way to its recipients. Enterprise data can also be exposed to the portal vendor itself. Though portal vendors will encrypt data at rest in their systems, they also hold the encryption keys, which means an attack that compromises the legacy vendor’s network makes your data more vulnerable. And even with TLS, your data is still vulnerable at several points throughout its lifecycle.
Without a Zero Trust network in place, portal solutions also come up short on key regulatory requirements and leave the enterprise open to unauthorized government surveillance. Agencies can subpoena the cloud provider and/or the portal vendor without informing the enterprise, getting access to private corporate data without consent.
How to Implement a Zero Trust Model
So how do you start this process and adopt the Zero-Trust model? Here’s a breakdown of the key steps:
Audit your data assets.
Identify data most in need of additional security.
Limit user access, starting with the highest-risk data.
Once the Zero-Trust model is ingrained in your system and fully adopted by your IT department, you can begin augmenting your security with identity and device technologies that will enable better access decision-making. Data-level encryption services that include granular access control are the pinnacle of Zero-Trust security because they shrink security perimeters to the micro-level, wrapping each data object in its own security.
From there, you can begin to move beyond Zero Trust and upgrade your protection to the next level: Zero Knowledge. Zero Knowledge removes trust even from your security or platform providers by separating your encryption keys from the encrypted data. For instance, if your email provider can access your encrypted email content, but a service like PIET manages your encryption keys at layers 2, 3, and 4, neither provider can see your data. You’ll capture all the benefits of cloud technology, while secure in the knowledge that only the right users can access your data.
By focusing on Zero Trust security, enterprises can overcome the shortcomings of perimeter-based approaches and evolve their security posture with end-to-end encryption. As the benefits of data-centric security take hold, organizations will be poised to finally make the shift to a default-secure future.
Zero Trust Security and PIET
PIET’s data-centric encryption contributes to Zero Trust network security. Emails and files are encrypted before they leave the sender’s computer and only decrypted when they reach the destination, we do not pass keys across the carrier network keeping data protected wherever it is shared (in motion and at rest).
PIET can use the same approach to protect other applications. Real-time communications, Salesforce or Workday data, or onsite files being migrated to the cloud are encrypted throughout their journey to prevent interception.
PIET’s Policy Based Encryption control features and 40% overhead reduction are also invaluable to a High Speed, Zero Trust network, greater protection, simplified management, lower costs, highest levels of security. (PIET, contact us to learn more)