Never trust, always verify – the “Zero Trust” security model follows this motto. No actor wishing to access resources is trusted. Rather, each individual access requires authentication. Time for a paradigm shift in cybersecurity. A comment from Sebastian Ganschow, Director Cybersecurity Solutions at NTT Ltd.
The thinking behind Zero Trust is simple: implicit trust is itself a vulnerability that attackers can exploit for lateral movement and access to sensitive data. Because the fortress - i.e. the company network - has not been impregnable for a long time. Data and applications that were once on a server in your own data center are now scattered across countless cloud platforms. Thanks to Microsoft 365 and Azure Active Directory, even the core functions of office and enterprise software are increasingly migrating to the cloud.
The internal network migrates to the cloud
In these distributed, hybrid environments, walls and moats, for example in the form of a firewall, no longer offer sufficient protection on their own. But the way we work has also changed fundamentally: Employees log in from home via VPN access and even use their own devices. Documents are shared with outsiders via SharePoint, and accounts for service providers are activated in teams. Of course, this seamless collaboration enables the productivity that today's working models require. But when it comes to the security of data and systems, the new working world is full of dangers. Because the increasing networking also increases the number of possible gateways for attackers. What's more, cybercriminals are using increasingly sophisticated methods to overturn conventional protection measures.
What zero trust means in practice
So what makes Zero Trust different? Basically, every single data access is verified - dynamic, risk-based and context-sensitive. The focus is on the principle of least privilege access. This means each user is granted only as much access as they need to perform the task at hand. For reliable protection, information on the following questions must be collected continuously: What data is being accessed? Where does the user request come from? Who is requesting the data? Why does the user need access? When does he need it?
Rights: As many as necessary – as few as possible
On this basis, user authorizations can then be controlled based on guidelines. For example, companies can specify that employees can only access sensitive resources if the security technologies on the end device are up to date. Otherwise, the device will be quarantined until the required updates are installed. Or they only allow an employee to access data from the HR department if he is connected to a company laptop via the VPN.
Policy Engine notices strange accesses
Likewise, using a policy engine as a control center that decides on individual requests, the context can be evaluated on a case-by-case basis and, if necessary, dynamic session-based data access can be granted if users, devices or operational instances need it. This is the case, for example, if an employee suddenly wants to log in at a time or from an atypical location. A holistic Zero Trust strategy that not only secures network access, but also includes users, devices, applications and factors such as user behavior, enables almost limitless flexibility in the way and where employees work . Those responsible for IT, on the other hand, arm themselves against cybercriminals by keeping the fortress walls strong against the attackers. At the same time, they reduce the complexity in terms of IT security if each device no longer has to be administered individually.
New working models – new access models
The fact is, new working models and hybrid infrastructures require a paradigm shift. Unless companies rethink and abandon long-established thought patterns, IT security will no longer work in the future. Zero Trust is no longer optional - no, it is mandatory.
More at Services.Global.NTT
About NTT
NTT Ltd. is a leading global technology service provider. The global competence, expertise and comprehensive technology services, which are provided via an integrated service platform, help customers to drive digital transformation. As a long-term, strategic partner, NTT helps companies improve customer and employee experiences, transform cloud strategy, modernize networks, and strengthen cybersecurity.