With new threats emerging to and from the data economy, a zero trust IT security approach can solve some of the problems that come with digital transformation, said Jeff Pollard, principal analyst at IT sector research firm Forrester at MeriTalk’s Akamai Government Forum on June 14.
“For the security leader that’s looking to make a different kind of case to explain what zero trust is … zero trust is a way to protect the apps, the engagement, and the experiences you deliver to your business,” said Pollard.
“Our infrastructure and our applications are under siege by attackers, and they’re also the things that generate our revenue. They’re also the things that connect us with our customers,” Pollard said. “Last year, of the organizations that experienced a breach from an external entity, 47 percent went after corporate servers. If your belief is that your organization is most likely to be breached because a user clicks on an email … you might be really, really wrong.”
So why is a zero trust approach needed?
“The reason why we rely on the idea of zero trust is because it solves the problem of the disappearing perimeter,” said Pollard. “Your users don’t work from the places they used to work. Your systems aren’t spun up in the way they used to be spun up. [With zero trust], you move from implicit permission to explicit permission,” he said.
The situation on the perimeter of the network is also worsening, bringing threats even closer.
“Trust is being eroded by bots that seek to distort messages, by data integrity concerns, by people that want to disrupt the information that they can trust,” said Pollard.
“We’re under attack from both cybersecurity adversaries and advertisers. What we’re now seeing is that advertisers are using cryptominers to permit use of content without viewing traditional advertisements. Advertisers and attackers are behaving in virtually the same way,” he said.
Pollard continued that this is a result of business models being driven by advertising, and that forces administrators to figure out how to respond. “Once you sell information, once you begin to be a participant in the data economy, you lose all control over how that data is used.”
How can agencies move to a zero trust model?
Pollard pointed to an ecommerce site as an example of a strong zero trust approach, where components only communicate to other components when necessary. He noted that credit card information only touched one aspect of the network, which reduced the risk of a lateral attack.
Pollard said that a zero trust ecosystem should have data at its core, with components for the devices, the people, the workloads and the network. “You’re going to need security technologies and controls that can satisfy this across your ecosystem, and that’s going to be on the network. When we say the disappearing perimeter, we don’t mean that the network is disappearing. It just doesn’t have an edge anymore.”