Zero Trust:Trust no one, Verify everyone
Cloud Migration is the next big thing. Everyone wants to be in the cloud, but what about security and compliance standards? How do organizations manage both safety and security in the “Cloud Era”? Cloud deployments render the concept that everyone inside of a corporate network should be trusted null and void. Essentially, when it comes to the cloud, everyone is a tenant on a big server farm full of tenants. Thus, the only way forward is the Zero-Trust Model.
Conventional security models assume “good” users are inside the firewall and “bad” users are outside. This is also known as the “Castle and Moat Model,” where the moat serves as the preliminary line of defence. Conventional approaches to security like this are ineffective in today’s world of hybrid multi-cloud and mobile workforces.
Enter Zero Trust: the model predicated on the idea that companies cannot, by default, trust internal users just like it cannot trust all external users. The concept of Zero Trust has been spreading across the industry for years. While Forrester coined the term “zero trust” in 2010, there were major players like Google, Gartner and IBM who created their own models and PoVs.
The new Zero Trust Model emphasizes gaining visibility across all traffic – user, device, location and application – through:
- Adopting the least privilege model while enforcing robust access control and compliance.
- Authenticating and verifying access to all resources.
- Utilizing context to enforce finer granularity across security policies, controls and actions.
- Integrating cross tool security platforms.
Zero trust does not operate inside or outside an invisible security perimeter. It is a philosophy that lives in the interplay between users, devices, and application workloads. Multi-factor authentication (MFA) reduces the attack surface across organisations.Logging and monitoring are important events across all organizations regardless of industry. In part, this is because they indicate the time frame and origin of a cyber attack. The sooner these elements are determined, the sooner action can be taken.
Zero Trust is also a great fit for organizations as they journey to the cloud. Because public clouds are insecure, resiliency must be at the forefront of consideration as their environments are built. People are neglecting to VPN in favour of connecting directly to the cloud. Because of this, everything needs to be encrypted to maintain a secure environment. This approach contradicts the conventional castle and moat models. But 100% encrypted communication is the way to go in the cloud environment. The cloud environment is made secure, in part, by encrypting data at rest, in motion and at the edge.
IBM has the broadest range of security technologies and services that can help clients on their journey to understanding and implementing Zero Trust:
- IBM Security Verify for Workforce IAM supports identity and access management in the cloud
- IBM Guardium Data Protection enables data discovery and classification That being said, there is no single technology you can buy and implement that delivers 100% Zero Trust capabilities. Zero Trust is a journey, not a destination, and IBM Security is happy to partner with you on that journey.
Identity is now an essential aspect of every organization worldwide and therefore, trust is no longer just a theoretical security concept.