This year has brought about some monumental shifts within the cybersecurity landscape. From the impact of remote and ultimately hybrid working through to some of the more prolific and disruptive attacks that have impacted almost every industry from the public sector through to supply chains, manufacturers and healthcare.
There has been a noticeable shift in the way businesses view trust within their networks, largely because of their more distributed workforces. Many are re-evaluating their remote access technology as a crucial part of their internal cybersecurity review process and finding that zero trust or a least privilege view is more appropriate as hybrid working becomes more persistent and widespread. The concept of zero trust is becoming the default.
The overall business landscape itself has evolved as applications and data continue to move off-premises while still maintaining on-premises applications. In fact, organisations have begun to depend more on hybrid and multi-cloud environments to help support their ongoing digital transformation requirements. According to a recent FortiGuard Labs Threat Landscape report from Fortinet*, 76 per cent of respondents reported using at least two cloud providers.
More control and a consistent security approach applied to all users regardless of where they are – off or on-networks – or accessing on or off-premises applications, is crucial. So how do organisations ensure that users who shouldn’t have access to a network, don’t?
Trust no one
This is where zero trust comes into play. Zero trust operates on the premise that there are constant threats both outside and inside an organisation’s network. Zero trust also assumes that every attempt to access the network or an application is a threat. No one inside or outside the network should be trusted until their identity has been thoroughly vetted.
The Fortinet-coined term Zero Trust Access (ZTA) is an important first step towards implementing a zero-trust security architecture. Establishing ZTA involves pervasive application access controls, powerful network access control technologies and strong authentication capabilities. One aspect of ZTA that focuses on controlling access to applications is Zero Trust Network Access (ZTNA).
ZTNA extends the principles of ZTA to verify users and devices before every application session to confirm that they conform to the organisation’s policy to access that application. ZTNA supports multi-factor authentication to maintain the highest degree of verification.
Using the zero-trust model for application access or ZTNA makes it possible for organisations to rely less on traditional virtual private network (VPN) to secure assets being accessed remotely. A VPN often provides unrestricted access to the network, which can allow compromised users or malware to move laterally across the network seeking resources to exploit. Which is why it is crucial that a transition to a least trust model is necessary.
A consistent policy applies this equally, whether users are on or off the network, which is a benefit of ZTNA. So, an organisation has the same protections, no matter where a user is connecting from.
A cultural shift to ZTA
Investment in ZTA solutions needs to increase, but a massive shift in security strategy can feel daunting to many businesses. There’s an all-too-common notion that implementing a zero-trust architecture requires a complete overhaul of a business’s network. There will certainly be some heavy lifting required, but successful implementation is about having the right framework in place paired with the right tools to execute.
Every environment needs to have consistent zero trust. It’s a cultural shift, which is often a bigger change than the technology shift. It involves a mindset and a commitment to changing how access is granted and how security is maintained across the organisation.
ZTA is an evolutionary step, not a wholesale replacement of existing identity and access management. It’s something that’s accessible to everyone from small businesses through to larger enterprises. And is crucial to helping organisations secure themselves against an aggressive and changing threat landscape.
Fortinet’s recent FortiGuard Labs Threat Landscape Report saw a tenfold increase in ransomware in the first six months of 2021, highlighting a significant change from the same period of time last year. With remote and hybrid working the norm, cyber criminals are finding it easier to access corporate networks using employee and extended network vulnerabilities as their way in.
Which is why businesses must make use of every security advantage that exists, this includes the shift to a zero-trust security strategy. Because there are so many threats from without and within, it’s appropriate to treat every person and thing trying to gain access to the network and its applications as a threat.
Zero trust doesn’t have to be this big step change or that existing security architectures need to be replaced, but rather the way the solutions are used to gain more control within the network, creating an even stronger shield and barrier. It is the way forward for organisations that want to be confident that they have the necessary tools and support to combat evolving threats.
* The FortiGuard Labs Threat Landscape report from Fortinet is based on a comprehensive global survey of 572 cybersecurity professionals