As more and more companies move to the cloud and the adoption of Internet of Things (IoT) devices continues to grow, businesses and consumers have become increasingly dependent on digital technology over the last few years. Big technology and digitalization have forced customers to share their personal data at an unparalleled pace, resulting in an exponential rise in the amount of data collected by organizations. For corporations and cybercriminals alike, data is now a valuable asset.
The perimeter of a network becomes fragile and less specified as companies manage their data through various applications and environments, on-prem or hosted in the cloud, and users have more access to data at more interfaces. This allows the threat surface to extend as the edge becomes untenable.
To get to your sensitive info, cybercriminals are transcending the desktop to connected devices. It is no longer adequate for security leaders to secure their networks only on the periphery. As the perimeter lines become blurred, a much more rigorous approach is needed to protect the network and vital assets of the company, which means concentrating on the data itself and following a zero-trust security model when it comes to accessing the data.
According to Forrester Research, zero-trust is a fundamental transformation of corporate security from a failed perimeter-centric approach to one that is data-centric. The conventional approach to security was to enforce perimeter-based security defenses with legitimate access to data properties and generally trust insiders. However, it is becoming more difficult to protect against a breach as networks and applications become more decentralized.
While organizations have comprehensive edge protection mechanisms in place, violations still occur due to incidents from both within and outside the organization. Insider breaches can be more difficult to identify and can occur due to a lack of care when handling information or because the security teams monitoring sensitive applications are overwhelmed by the sheer number of events. Fifty-four percent of businesses have acknowledged that when they are stressed, they appear to ignore security warnings.
A malicious insider’s actions can also trigger breaches. The zero-trust model does not put a large amount of importance on the disparity between insider and outsider. That is to say, it trusts no one.
A shortage of qualified security professionals stood out as a major problem in a survey of CISOs by The Ponemon Institute. Sixty-five percent of respondents reported “insufficient in-house expertise” as a top reason they will likely have a data breach. The survey also revealed that sixty percent of respondents were worried about a violation caused by IoT devices. Sixty-five percent think that because a reckless employee is compromised, they will suffer credential theft.
Another study found that sixty-six percent of companies are more likely to consider malicious internal threats or unintended breaches than external attacks, with a high percentage also finding them more disruptive. And how can you avoid an infringement on the inside from happening? It isn’t sufficient to know where your personal data is kept. The zero-trust model implies that you also know what the information is, who has access to it, and why.
In order to completely embrace the zero-trust model, security professionals need to take a “cradle to the grave” approach to monitoring requests for data access by individuals or devices without impacting whether the access request originates from inside or outside the perimeter of the network.
It will highlight irregular patterns and flag up possible threats by using data analytics and insight to capture a detailed data flow beginning from the initial access request, traversing all applications and middleware, and recording what is done with the data and by whom once it is reached. The zero-trust model represents a radically new mindset that needs having granular visibility of data access across the entire network estate.