This article is based on theĀ Cyberedge webinar by Steve Piper and my personal insights.
–
The before-and-after comparison is not limited to the cosmetic and real-estate industries.
Cybersecurity is no exception.
The security before and after COVID-19 has also changed.
“Then: Trust but verify.”
Zero-trust Security may have been a fancy consideration before the pandemic. However, compliance standards such as PCI-DSS, ISO27001, and HIPPA are significant factors in implementing Zero-Trust Security.
What has changed?
Remote work wasn’t an alien concept before COVID-19, but no mass adoption existed.
Traditional cybersecurity relied on perimeter-based defense for user and device security.
The pandemic has punched a big hole in the traditional cybersecurity model.
The hole has accelerated the adaptation of Zero-TrustĀ Security as a framework. It’s built upon a principal that threats could be internal or external.
We have a new mantra.
“Now: Never trust, always verify.”
Never trusting anything or anyone seems harsh. But there are reasons:
- Most businesses rely on cloud services and SaaS applications. User authentication to these 3rd parties has become decentralised, requiring constant authentication regardless of location.
- Personal devices are exploding with BYOD (Bring Your Own Device) flexibility. Corporates have no control over the endpoint security from contractors or business partners.
- Assuming that internal employees are not threats is traditional thinking. As the name suggests, zero trust applies regardless of whether it’s an internal or external employee.
- When they do remote work, people are on the move, and their location is dynamic. They are susceptible to advanced threats and sophisticated attacks that require continuous monitoring.
Zero-trust is all about giving right people right access from right location to right application.
Despite this, the Cyberedge Group report shows that 9% of companies have not considered zero-trust security. Surprisingly, only 35% of companies have implemented zero-trust in their production systems.
It’s essential to debunk a few myths for zero-trust security.
Myth# 1 Zero-trust is not a product or platform. It’s a framework.
Be aware of vendors who market “Zero-trust ready solutions” during sales, but the product has friction in available security.
Myth# 2 Zero-trust is for small to medium businesses.
Most big organizations don’t have financial constraints for implementing zero-trust security. Small to medium companies often consider zero-trust a fancy feature, but it has become a norm.
Myth# 3 Zero-trust is about leveraging what already exists in the environment.
To implement zero-trust security, you don’t need to reinvent the wheel. Most companies already have firewalls, Active Directory, and mobile device management software. Consider how you can blend data and network security with device and identity verification.
–
The Return on Investment (ROI) for Zero-trust is like a car insurance. You will only realize the benefit when your car breaks.