What business leaders need to know — and do — about zero-trust security
You don’t need to be in IT to have a role in fighting ransomware and other cyber scourges.
If you’re a CEO these days, odds are that your CIO understands something you may not: Your company’s cybersecurity strategy is fundamentally flawed, and has been ever since your organization began using cloud-based services. What’s more, your CIO is probably scrambling to adopt a new approach you may have heard of: zero-trust security.
As a business leader, you need to understand that zero-trust is not just another buzzword. It’s a fundamentally different mindset that you will need to embrace — and the sooner you do so, the better. What most security professionals know, even if few are willing to say so, is that the traditional security model is critically flawed in the face of many modern threats. That makes this an emperor-has-no-clothes moment, highlighted by the recent spate of high-profile breaches. If you have been managing your company with a false sense of security … well, you don’t want to be the last one in your industry to realize it. There’s even a chance you could end up being held personally responsible for having knowingly kept your eyes shut to the dangers.
The good news is that it’s not too late to get started. While many companies have begun implementing zero-trust approaches and technologies, very few have complete implementations across their entire organization. Having spoken to hundreds of CEOs and management teams, here are the basics of what non-tech executives need to know about zero-trust.
‘Castle-and-moat’ security doesn’t work in the cloud
Most companies still rely on “castle-and-moat” defenses, created when it was reasonable to think their systems could be hermetically sealed off from outside threats. Corporate applications largely ran on company-owned servers in company-owned data centers, and most of the users were employees sitting in a corporate office using company-owned PCs, on the company’s private network. This is why, for all those years, you’ve needed a VPN just to log in over a wireless network.
Those days are long gone, courtesy of the cloud, the shift to remote work and a better understanding of modern security threats. Modern infrastructure today has a mix of applications running in private data centers, public clouds and SaaS solutions such as Salesforce and Workday. Users are just as likely working from home, coffee shops or co-working spaces as they are in the corporate office. They might be using company-provided laptops or using their personal phones and devices. The shift to cloud is accelerating as organizations rush to innovate and deliver better experiences, while the changing nature of work is improving employee experience and enabling people to continue working as COVID-19 upends everything.
Security is always a cat-and-mouse game between the defenders and attackers. With a castle-and-moat approach to security, the defenders must perfectly protect everything, because a single breach allows an attacker to get to private networks and quickly gain access to sensitive data and systems. This opens new vistas for cybercriminals to exploit. A bad actor can compromise just one application, or they could use phishing attacks targeting employees, or find ways to break into the many network devices a company uses. Target was famously compromised and lost credit card data because an attacker targeted a Wi-Fi-connected HVAC system.
The cleverest attackers meld many types of attacks into incredibly sophisticated schemes, like the SolarWinds attack in early 2020. Hundreds of companies, including some of the most sophisticated IT practitioners in the world, were shocked to discover that an update of network management software from a trusted vendor called SolarWinds had given broad access to hackers backed by a Russian intelligence agency.
In a static world, companies own the datacenter, the network, and can secure who comes in and out of the building or restrict all traffic coming through a firewall, IP address, etc. In a dynamic world, companies no longer own the networks, IPs and infrastructure are ephemeral, the perimeter has gone
Zero-trust is critical as cyberattacks rise
The number of cyberattacks is skyrocketing. In 2021, there were 1,862 publicly reported breaches in the U.S., up more than 68% from 2020. The cost of those breaches is also rising. According to IBM, the average cost of a successful cyberattack has risen to an all-time high of $4.24 million, up nearly 10% from the previous year.
One particularly disturbing trend is ransomware, a type of extortion in which bad actors cut off a company’s access to its own apps and data unless it pays a ransom. The number of such attacks more than doubled in the first half of 2021, according to the FBI’s Internet Crime Complaint Center. Many were high-profile and brazen attacks on critical infrastructure such as oil pipelines, hospitals and local governments. And many attackers not only extorted money to restore access, but were “double-dipping” by selling the stolen data to others.
Zero-trust security is based on verified identity
Castle-and-moat setups work primarily by deciding what apps, people and devices are allowed inside the corporate firewall, and blocking those that are not allowed in based on the IP address of the device being used. In other words, they tend to grant full access or none at all.
Such a simplistic all-or-nothing approach doesn’t reflect the complexities of the cloud world we all depend on. Zero-trust security takes a more granular approach, allowing nuanced restrictions that consider the nature of the app, the user and other elements to decide if an interaction is safe. Under the zero-trust credo of “never trust, always verify,” every application, person and device must prove its identity before every session, and once authenticated only gets “least-privileged access” to corporate applications and data. While even the best zero-trust system might not have prevented the SolarWinds incident, it might have limited the damage by recognizing that the network management update had no business asking for access to the server that stored the passwords of the administrators who managed customer databases.
Business leaders can help by supporting zero-trust security
As the scourge of cybersecurity breaches make clear, zero-trust security is not easy to achieve, even for the most sophisticated Internet companies. It will always be a work in progress.
But as a business leader, you can take measures that will have a huge impact on your organization's security. Here are some of my suggestions:
- Continue to fund security. Security budgets have soared in recent years, but zero-trust does require investment in new technologies, processes and capabilities. For example, most companies have IT specialists who understand how to track the identity of people to understand what they are authorized to see. Far fewer have people who are also expert in understanding the precise identity of machines.
- Give top-down support. By showing an appreciation for and understanding of zero-trust security, you can break through a lot of organizational and cultural logjams. Support your CIO’s and CISO’s efforts to convince business unit executives that zero-trust is no longer optional if they want to remain competitive (and if they want to remain off the front pages because of data breaches).
- Embrace DevSecOps. This trend involves breaking down the three main silos in most IT organizations — the developers who create software, the security experts and the operations people who make sure services run smoothly — so that they collaborate throughout the process. It’s another buzzword, but in my experience it is absolutely a prerequisite to implementing zero-trust security. Modern approaches to security must be integrated into the application infrastructure and development process.
Maybe most essential: Take the time to understand that zero-trust security is not just a way to avoid breaches in a dangerous world. It’s an essential requirement for business success in the cloud era. Zero-trust principles are the best way to let your company confidently push forward with new services, improve existing ones and reap the full benefits of digital transformation projects.