In Zero Trust We Trust

In modern combat-heavy, big-budget movies, taking place in some named or unnamed conflict zone, warlords, grifters, and bad actors are all around (think criminals, not Razzie Awards winners). The lead character needs a security detail – but he can’t tell the good from the bad. It all makes for a great action movie, but unfortunately, it’s eerily similar to the security and cyberattack scenario facing businesses today. With a 200 percent increase in ransomware attacks from 2019 to 2021 and the average cost of a breach reaching $4.2M[1], executives definitely don’t see the entertainment value.

As the threat landscape grows, so does the army of folks looking to do harm

Security is a priority for everyone. The threat landscape has gotten bigger and more complex – and more profitable for those who attack it and who claim to protect you from it. The growth and distribution of data, resources, and users mean a growing attack surface and plenty of loopholes for those who desire to do harm. Those who fall victim to ransomware attacks, or hear the gory details from peers, are re-evaluating their programs. What they’re finding is an incomplete, disaggregated solution -- a byproduct of a fragmented security market.

Security vendors want to solve challenges. This can lead them into new spaces within this complex environment – and, potentially more fragmentation. Attackers love it. Organizations struggle to implement and learn new services and solutions -- and find the talent to manage them. In the meantime, bad actors see an opportunity to attack. (Thankfully, there are lots of good guys out there, too, and we are partnering with them to deliver great solutions and help our customers navigate a safe path forward.) 

We need a new approach

It’s clear that we need a fundamentally different approach. The old “ice cream bar approach” failed long ago, but few have managed to meaningfully move away from it. We’ve continued to rely on a hard, crunchy outside, but the soft, gooey inside remains, letting cybercriminals roam at will once they are inside a network. We need something better than perimeter defense. We need defense and protection at all layers.

That’s where Zero Trust comes in. It’s not a product, but a framework and architectural approach; a cybersecurity model that shifts from a reliance on perimeter defenses to a proactive strategy that allows only known good activity across ecosystems and data pipelines. If someone offers you a single product to deliver Zero Trust solutions, I’ve got some beautiful oceanfront property in Central Texas for sale!

Secure by design

 Zero Trust is something to aspire to as you undo the ice cream bar approach of building moats around your network, but then lowering the drawbridge in exchange for an easily hacked password. The consolidated, system-level approach ensures organizations are ‘secure by design’ across networks, devices, and systems. And it’s quickly becoming the standard for reimagining the IT environment. (You can read the latest Security and Privacy Controls for Information Systems and Organizations, published by NIST.)

It may seem an imperfect term for a systemic approach to building trust in systems. First introduced in the 1970s, it has evolved alongside the PC and server industries from trust and verify to verifying at every access point. Remember Triple-A? We broadly embraced one-time authentication but forgot about the other A’s: authorization and accounting. Zero Trust brings them back, along with new techniques learned over the intervening decades. The old ‘secret knock’ that got you in the door won’t let you wander down pathways and explore interesting rooms at will anymore. Consistent, automated verification at every data access point is now required...delivering on all of the A’s and then some.

Defense and protection, teaming with DoD

 The US Department of Defense (DoD) recently set a goal of achieving Zero Trust compliance with the many organizations it works with to better protect its systems and information. It is, in fact, mandated for companies that control the nation’s critical infrastructure. Sixteen sectors have been identified whose assets, systems and networks, whether physical or virtual, are considered so vital to the U.S. that their incapacitation or destruction would have a debilitating effect on the economy, national security, public health or safety, or any combination thereof.

This is a fundamental shift in how to secure data and information. And the DoD is not doing it alone. Dell, with a team of industry experts, will power the Zero Trust Center of Excellence to provide organizations with a secure data center to validate Zero Trust use cases. It will use the Department of Defense Zero Trust Reference Architecture as its foundation for organizations to test configurations before deployment in their own environments. For all the security geeks out there, think of it as a Zero Trust playground.

Simply secure

We have a great responsibility to help our customers protect and secure data, software, and systems end to end. So, we are driving toward a future where Zero Trust capabilities are embedded in the root of our products and services so that customers will enjoy a simpler, more fundamentally secure operating environment. And we’ll get there with a powerful ecosystem of partners. If the products you use, and the supply chain that delivers them, are essentially secure from the start, you’ll spend less on things to keep you out of harm’s way.

We don’t know all the answers (yet), and neither does anyone else, but we’re getting out in front of the industry to help innovate in ways that make security safer and less costly. We know our customers need trusted partners and ecosystems to help them build a security strategy that protects their data and systems now and prepares them for the journey to Zero Trust. 

It takes years to build a reputation – for a company or an actor – and one cyber incident, or awful movie, can ruin it in days. As the threat landscape continues to grow, are you thinking about Zero Trust?

[1] Source:2022 SonicWALLCyber Threat Report