The world has undeniably become more digital. Before the pandemic, ‘digital transformation’ was an aspirational buzzword for technologically innovative companies – but today, with the surge in digitalisation brought on by lockdowns and remote working, everybody is transforming their operations.
When it comes to today’s security landscape, it now goes well-beyond the walls of the enterprise network. Every size and shape organisation are becoming increasingly reliant on digital and cloud-based applications and services. The amount of data that has been created and that organisations rely on has grown exponentially, and is prevalent throughout every corner of an organisation’s IT ecosystem.
But with this increased digitalisation comes extra risks and vulnerabilities. Indeed, as workforces become more digitally dispersed, with remote and hybrid work booming, risks associated with accessing sensitive, corporate information via home networks or using personal devices that don’t have that extra layer of company security are also increasing. Additionally, there is the human risk that someone outside of the organisation could gain access to information if an employee is using a shared device at home.
The Great Resignation and labour shortages are also putting pressure on organisations’ security. People are resigning at the highest rate since 2009 in the UK and 70% of UK tech organisations are experiencing staff shortages, per Robert Walters research. This makes it difficult for organisations to keep pace with changing personnel and working environments which, much like with remote/hybrid workers, increases exposure to security risks.
As a result of these shortages, growing numbers of organisations are turning towards third-party outsourced partners and talent to meet short-term demands, reduce costs and accelerate growth. But, if not done correctly, bringing on a third-party workforce without due diligence or proper governance and security controls can also create additional cyber risks.
In today’s globally connected, digitally-dispersed world, then, the “never trust, always verify” principles of Zero Trust Identity resonate more strongly than ever. With the presence of new vulnerabilities and advancing technology, it’s time we shift to the identity-based Zero Trust paradigm, with an increased layer of security at the identity level.
The key factors of Zero Trust Identity
Zero Trust has become a popular catalyst for organisations changing their fundamental security and identity practices, particularly in the wake of the pandemic’s digital boom. According to Deloitte, 37% of organisations have increased Zero Trust adoption in just the past two years.
Companies are accepting that every core business function — from HR to accounting — now relies on digital technology, and that the only way to protect their primarily remote-workforce and growing IT ecosystem is to assume continuous risk and to reassess trust every time access is attempted. This is the era of Zero Trust.
But what exactly does Zero Trust, or Zero Trust Identity mean? Consider that, per Verizon, 36% of data breaches in an enterprise involve internal actors – employees at that company. This doesn’t mean that a third of every organisation is a clandestine hacker, but more likely than not has not kept a close eye on their passwords, or has been given access to content and systems unnecessarily.
With Zero Trust Identity, everything and everyone is considered untrustworthy until proven otherwise. With Zero Trust, each access case is reviewed and assessed individually of each other and someone is only granted access when absolutely necessary. Each request for access is evaluated based on various identifying data, such as location, to determine trust, and thus, access.
Bring in identity access management (IAM), Identity Governance and Administration (IGA), and Cloud Privileged Access Management (CloudPAM), and Zero Trust Identity is something more than access control. It is continuous monitoring, management, remediation, and recovery that can mitigate risk and prevent mistakes before they happen.
Four key benefits of Zero Trust Identity
The Zero Trust Identity model has significant benefits. Without the presence of standing privilege, organisations can see improvements across the whole business.
1. Secure remote workers. KuppingerCole and HP recently found that half of office workers use their work devices for personal use, and that 84% of IT decision-makers worry this increases their company’s risk of a security breach. This is more than understandable, when users, data and access is spread across the world.
Firewalls will no longer do the trick in this environment, but Zero Trust Identity can. By providing a tangible perimeter to every employee, user, device and application, no matter where they’re working, organisations can rest easier knowing their workers are safe even outside the corporate network.
In addition, with the pandemic resulting in the rapid rollout of VPNs and subsequent configuration and security issues, Zero Trust can help streamline access and reduce performance issues, giving employees what they need, when they needed it and wherever they’re located.
2. Simplify IT management with automation. Continuous monitoring is a key part of Zero Trust, and when automated, it can simplify access management and security enormously. This is especially beneficial in a time where, according to the Information Systems Security Association (ISSA), 62% of organisations report a problematic cybersecurity skills shortage and errors are more likely to slip through the gaps. With a privileged access management (PAM) system, for example, access can be automatically granted to a user based on key identifiers, and requests only need to be manually approved if they are flagged by the automated system.
With automation, fewer human resources are needed in the time of a talent crunch. This enables existing security teams to work more efficiently, and spend more time focused on innovation and elements that really do need manual administration. Automated Zero Trust platforms – that rely on centralised monitoring – can also produce reliable, invaluable data that provides insights about areas where security could be improved and helps the security team to further identify threats.
3. Gain greater visibility. Nothing is trusted in the Zero Trust framework, but organisations can decide what elements of their security strategy are more critical or risk-prone. This means that everything from outside resources such as cloud-based serverless processes to legacy on-premise technology needs a seat at the table – and with Zero Trust, organisations are given this visibility. Then, they can build a solution that best matches their requirements while also covering all assets, giving them insights into who is accessing their network and when.
4. Achieve continuous compliance and improved data protection. Rogue employees, cybersecurity hackers and malware will always be looking for a way to gain access to large enterprise networks, but Zero Trust Identity, particularly without standing privileges, can significantly reduce the risk that they can extract any information. With just-in-time access for example, which falls under the PAM umbrella and means end users receive the right level of privilege for their immediate tasks and are limited in terms of what they can access and for how long. For malicious intruders, the same rules apply and can significantly staunch the impact of a breach.
This also has huge knock-on effect when it comes to compliance, ensuing sensitive data is locked away safely. Indeed, Zero Trust architecture is hugely beneficial to continuous compliance, as by evaluating and logging every access request and by tracking every request’s time, location, and related application, a perfect audit portfolio of evidence is created.
As a result, resources required for any audits are reduced, potentially costly compliance fails can be mitigated, and governance is more effectively upheld. And, according to IBM, organisations with a mature Zero Trust approach can reduce data breach costs by $1.76 million.
Increased resilience
Without the presence of standing privilege, organisations can see improvements across the whole business, from securing remote workers to gaining better visibility of their security estate. Even if malware or a threat actor does slip through the gaps, then Zero Trust Identity limits the scope of damage and organisations have the agility and resilience to take proactive actions to secure their valuable assets.
Chris Owen is a Director of Product Management at Saviynt, where he drives product innovation, execution of the technology roadmap, and go-to-market strategies. He has more than 15 years of experience in the identity access management and privileged access management industry. Before Saviynt, Chris held various technical and leadership roles at Quest / One Identity, CyberArk, BeyondTrust, and Centrify.