In an exclusive with ITP.net, Amir Sohrabi, Area VP for Emerging Markets at Citrix discusses how recent businesses have become faster, flexible, and mobile and therefore need a modern security approach to secure their digital business and workforce.
In the Middle Ages, doing business meant going to a marketplace in the nearest town to buy, sell, or barter goods. Business transactions could take a whole day, with logistics limited to the speed of walking or riding an ox cart. Today, we are used to buying goods online with a few clicks and having them delivered overnight.
In a similar fashion, how we work has become faster, more flexible, and more mobile. And yet, many businesses still adhere to the ancient ‘castle and moat’ approach of securing their digital business and workforce. It’s high time we bring the security architecture into the modern age. Zero trust is designed to enable exactly that.
Recent months have forcefully demonstrated the huge potential of a pre-existing trend toward a more distributed, mobile way of working. This has helped to keep businesses up and running in a time of crisis, while keeping employees productive and healthy by enabling work from home.
Even without the pandemic, the trend toward mobile, flexible work would have increased as employees seek new approaches that optimize their work-life balance, while giving businesses the flexibility required for agile workflows.
ALSO READ: How to fast-track your digital workspace strategy
Today’s age of flexible work, however, brings some challenges. Employees now frequently work outside the traditional security perimeter. Also, ever more employees use their own devices and a growing number of cloud services instead of – or in addition to – traditional and centrally-managed devices and on-premises business applications.
This heterogeneous environment makes it increasingly difficult to achieve the level of control required to keep business processes adequately secured. The old-fashioned ‘castle and moat’ approach – trying to achieve a well-secured state by keeping adversaries outside – is a concept that once dominated security design in recent decades, but today’s heterogeneous hybrid work landscape marks its limits.
The evolving world of work requires a new security architecture. That’s why the zero-trust approach is so hotly debated these days. Zero trust doesn’t mean that businesses no longer trust their employees. Rather, that they cannot, and should not, have blind faith in the technological context from which employees are accessing sensitive resources.
After all, it is now a likely scenario that employees work with business applications and company data using their own devices and a potentially untrusted network connection like a Wi-Fi home network or public Wi-Fi hot spot. That’s why a zero-trust environment is based on the assertion: never trust, always verify!
To achieve this, modern security software, aided by artificial intelligence and continuous monitoring, constantly evaluates user (or rather: user account) and endpoint behavior for any indicators of unusual activity that might hint at a security compromise. Not all zero-trust environments are the same, though. In a startup that operates fully based on SaaS, it might be enough to apply the zero-trust concept to the SaaS services and endpoint devices.
Most enterprise IT environments, however, are more complex than this: they tend to contain a wide variety of on-premise or even internally developed custom applications, along with legacy VPN technology and a wide array of desktop and mobile devices. Accordingly, the zero-trust approach needs to be carefully planned and adapted to the individual IT environment.
The first step toward a zero-trust environment consists of establishing a zero-trust network architecture that covers all aspects of users interacting with corporate – internal and/or cloud-based – IT resources, wherever the users or the resources might be located. This requires an evaluation of the context of user access, combined with the creation of risk profiles. Based on these risk profiles and continuous context analysis, the security team can implement and enforce centralised security policies – independently from any old-fashioned network firewall perimeter.
Establishing context entails checking numerous aspects such as the IP address and geographic location, device status (corporate-owned, privately owned), OS status (jailbroken/rooted or secure), patch status etc., as well as verifying digital certificates for identity and access management. The constant evaluation of all this data is then matched with predefined granular policies.
For example, businesses might determine that employees can only access sensitive resources if the device is fully secured, and the user is identified via multi-factor authentication. Otherwise, a pop-up notification will inform the employee how to proceed, while the device might be put into quarantine until its desired state is achieved.
The benefit of the zero-trust approach lies in the fact that it strikes a perfect balance between security and usability: most of the time, employees won’t even notice that the zero-trust setup is continuously ensuring a high level of security. They will only notice security measures being applied when something extraordinary happens, be it by mistake or because an adversary has managed to compromise a user account.
Business has evolved from the medieval marketplace to just-in-time production, online ordering, and overnight delivery. In a similar way, IT security architecture must adapt to today’s fast-evolving business world. Zero trust paves the way for working securely from anywhere while enabling a smooth employee experience. It’s high time to leave the ancient castle walls of IT security behind and switch to something designed from the ground up for the speed, agility, and user-friendliness of modern hybrid work.
