As enterprise digital transformation continues to kick in high gear, organisations are increasing their reliance on emerging technologies to develop innovations at breakneck speed. Unfortunately, this also opens up a lot of vulnerabilities that threat actors can exploit.
In the digital era, securing networks can be a daunting task, especially as the lines between internal and external environments continue to blur.
“The network security space has evolved as the demands placed on a corporate network have changed dramatically,” says Lane Billings, Product Marketing Manager – Zero Trust, Cloudflare.
“IT has gone from a back-office function to mission-critical. In parallel with networks becoming more integral, users spread out from offices to work from home. Applications have left the data centre and are now being run from multiple clouds or are being delivered by vendors directly over the Internet.”
In the recent past, security strategies were built around the assumption that network traffic comes predominantly from within the physical confines of the organisation. Networks were structured with a firewall at the edge, with servers, switches, and Wi-Fi access points made up the rest of the perimeter. In response, traditional security measures were designed with the thinking that users, once inside the firewall, were automatically trusted.
Now that remote work is the reality for most organisations, many IT and security leaders are rethinking and redesigning network security strategies to implement a Zero Trust model.
WEBINAR ALERT: Beyond the Perimeter: Securing Fragmented Environments with Zero Trust.’
Traditional network security typically follows a ‘trust but verify’ method. It assumes that everyone inside the network perimeter should be trusted by default.
“The corporate perimeter is broken,” says Billings. “The fatal flaw of conventional network security is that once inside the network ‘moat,’ attackers are privileged to go anywhere inside the ‘castle.’ But now that remote work is becoming a norm and users need access to corporate applications and data from dispersed locations and devices, the perimeter shifting infinitely outward.”
Lane Billings, Cloudflare
Zero Trust is a significant departure from this mentality as its main tenet is that every user or device that wants to connect to a corporate network is untrustworthy until proven otherwise. It means that identity and device authentication are required throughout the network regardless of whether they are accessing the corporate system internally or externally.
“Zero Trust models adhere to the ‘never trust, always verify’ principle,” explains Billing. “Zero Trust platforms follow the ‘least privilege’ principle by only providing what users need at the moment, thereby minimising the spread of any undetected harm laterally across the organisation.”
The adoption of Zero Trust frameworks have seen an uptick over the last few years and even more so since the rise of remote working. According to Gartner by 2022, 80% of new digital business applications opened up to ecosystem partners will be accessed through Zero Trust network access (ZTNA). Subsequently, a recent Forrester study that was commissioned by Cloudflare showed that 80% of surveyed security leaders say their organisation is committed to adopting a Zero Trust model. However, there are still key misconceptions that are stifling its mainstream adoption.
“Shifting to Zero Trust is like improving physical fitness. There are best practices to aspire to, but the key is finding the right set of habits to achieve specific goals and needs.”
According to Billings, one of the main myths about Zero Trust is that it’s simply a hype. “Aggressive marketing by IT security vendors has unfortunately created a lot of noise around Zero Trust. But the excitement today is driven by real-life challenges,” she says.
“Zero Trust best practices are not new. They have been refined over the past decade not only to strengthen security but also to unlock new business opportunities. For security teams, Zero Trust technologies prevent breaches, contain the spread of malware, and enable better control over network traffic.”
Another misconception about Zero Trust is that it’s only valuable for large enterprises. “Smaller businesses face similar threats, reputational scrutiny for breaches and demands from customers about higher standards of security as big enterprises. More importantly, they face their unique challenges that make adopting a ‘never trust, always verify posture’ urgent,” says Billings.
The third most popular Zero Trust myth, according to Billings, is that it requires too many products. Zero Trust is neither one product nor a collection of it. Instead, it is a mindset that informs security architecture decisions and at its core is the principle that no users should be trusted by default, regardless of their position inside or outside the network.
“Shifting to Zero Trust is like improving physical fitness,” says Billings. “There are best practices to aspire to, but the key is finding the right set of habits to achieve specific goals and needs. For example, implementing multi-factor authentication is like avoiding junk food. It does not guarantee perfection, but it does set a solid baseline in security hygiene.”
Billings also notes that organisations do not necessarily need to invest in every Zero Trust technology immediately. But by addressing critical weaknesses first, they can begin strengthening their longer-term security mindset.
Since implementing a Zero Trust framework provides organisations with a holistic approach to network security, it offers a wide range of benefits such as a stronger security posture and reduced attack surface.
“Zero Trust security platforms reduce remote work risks by enforcing identity and context-based authentication on every request to your corporate apps, leaving little room for lateral movement,” says Billings.
She adds, “It also gives organisations better visibility over their network by intercepting and logging requests from all remote devices — even unmanaged devices. Administrators can monitor network activity in internally-hosted and SaaS apps, with an audit trail to investigate incidents. Logs can also be centralised in one dashboard, and automatically sent to the SIEM of choice.”
Finally, Billings says Zero Trust also simplifies how users connect to corporate networks and streamline how administrators work. “With reduced reliance on legacy VPNs, administrators can apply standard security controls to all traffic regardless of how that connection starts or where in the network stack it lives. Additionally, policies can all be managed from one dashboard,” she explains.
Organisations such as Cloudflare are advocates of the Zero Trust framework. The company has developed solutions such as Cloudflare Access, a Zero Trust platform that secures self-hosted and SaaS applications by aggregating sources of user identity and trust and enforcing policies on every request or log in. The company also offers Cloudflare Gateway, a solution that helps protect organisations from malware and data loss by routing all Internet-bound traffic through Cloudflare’s network, where a Cloudflare data centre close to the user can apply security policies.
ALSO READ: Beyond the Perimeter: Why enterprises need to embrace Zero Trust
“Customers expect Zero Trust security to just work in any environment and we have built our products to be cloud-agnostic. We believe that enterprises will expect more sources of identity signal to power more rules while simultaneously reducing user friction. We also anticipate that organisations moving to a Zero Trust model will continue to prioritise platforms that allow them to consolidate the different tools and solutions that they are utilising,” says Billings.
Ultimately, what’s evident is that enterprise assets are simply no longer safe behind traditional firewalls and securing the perimeter as we know it is no longer sufficient. Undoubtedly, Zero Trust will play a critical role in addressing our security woes, however, it is not the entire answer. In order to stay prepared for tomorrow’s threats, enterprises need to fully understand the resources that they need to protect and determine the best ways to prevent them from being exposed and exploited.
Billings will join an exclusive webinar titled, ‘Beyond the Perimeter: Securing Fragmented Environments with Zero Trust.’ The webinar, which will air on 23rd March, also features others panellists including BCG Associate Director Dr Amir Alsbih and Standard Chartered Regional CISO Dr Erdal Ozkaya.
