Authored by: Joe Schulz, Orasi VP, Emerging Technology.
App evolution as the ZTS catalyst and how to plow through 2023
With crazy weather hitting all parts of the US, it’s easy to correlate the disruption and fallout felt throughout communities to what internet security is like without Zero Trust Security (ZTS). Large-scale ransomware blizzard attacks happen more often than anyone admits, making internet security a top 2023 concern for companies.
But why is internet security such a big problem now? We’ve had hackers and computer viruses for as long as we’ve had computers, so what makes today’s environment so different?
A look back helps us see ahead
The answer forces us to think about application evolution. When companies first started using applications to process critical business data, everything was highly centralized on mainframe computers. In that environment we controlled physical access to everything. No one could get to machines and data without granting entry. Physical barriers decreased data piracy.
Consequently, there was little “hacking” (by today’s standards). Trust between employer/employee was also greater. In that centralized environment, security policies focused mostly on building a tight security boundary around application hardware – often referred to as the “castle and moat” model. That approach was like adding locks and installing a burglar alarm around the perimeter of a home. Everything inside the boundary was secure because we aggressively controlled who got in.
However, even in “the old days,” data theft and misuse occurred. It didn’t happen as often, but authorized individuals would still steal confidential information and use it dishonestly. It might happen for personal gain, emotional retaliation or corporate sabotage, but it happened because no security boundary could ever be completely watertight.
Fast forward to the dawn of personal computers and mainstream use. Systems began to decentralize. Employees were granted remote access from distant offices and home workplaces. This immediately introduced the possibility of data in-flight being at risk or viruses being transmitted back to the central “castle,” and so the rise of modern-style hacking started making the news more often.
In response, security teams tightened the security boundary. They added measures like VPN tunnels to protect data in-flight, but all that did was stretch the border further. As an industry, we didn’t really try to change the basic “castle and moat” philosophy. We just extended the moat to cover outlying locations. Luckily, the actual data was still mostly centralized, so those security band-aids helped mitigate threats.
Zero Trust in today’s modern application environment
More recently, corporate application development has embraced truly distributed architectures and cloud technologies. Redundant application architectures and container approaches dramatically increase application reliability and reduce costs. As a result, application development teams are more efficient and productive than they’ve ever been before.
The downside to this revolutionary approach is that “castle and moat” security strategies have been rendered obsolete. There are far too many leaks in security fences when applications are built that way. We can’t physically control every endpoint that might need access and still maintain the universal availability goal. Modern revenue systems, especially, rely on widespread access and nearly instantaneous processing to achieve market share targets.
That’s where Zero Trust Security (ZTS) comes in. ZTS takes those changes into account. Rather than trying to build a bullet-proof border with few controls inside, ZTS assumes assailants already have access. ZTS policies manage access to each piece of information based on a verified identity.
Continuing with the home security analogy, it’s like assuming burglars will be able to get past your alarm system, so instead of just trying to control the perimeter you actively identify each person as they enter the premises. Then, you additionally control access to the individual things in your house based on that identity. Non-critical items (couch, rugs, tables) might not need much security because the cost of them being lost isn’t worth the trouble. More expensive items (electronics, jewelry, art) would need extra security (like a PIN code), so only family members and known guests can handle them. Highly confidential information (a safe, financial statements, passports) would require more extensive authentication (like a biometric control), to guarantee that only you can access them.
Today’s software market offers an array of ZTS tools to handle any level of application security. It’s important when selecting a partner to:
- Add controls on each piece of information based on a risk assessment.
- Validate each access attempt by identity as it’s made.
- Include multi-layer policy and auditing.
- Set up an expiration schedule for secrets.
- Automatically rotate on a schedule or on-demand when nefarious conduct is suspected.
- Ensure data is protected whether in-flight or at-rest in the architecture.
While Zero Trust Security isn’t going to rid the world of hackers, it’s a required internet security element for 2023. Get ahead of the storm before you’re hit and left without power.