This article first appeared on SCMagazine.com on March 30, 2021.
During the pandemic last year the brilliance of information security personnel was on full display, as businesses transitioned to a remote-first approach. Sure, this meant the implementation of a cocktail of security measures, but it also pushed companies to inevitably (and finally) adopt a Zero Trust security model, which had been non-existent or piecemeal at best in many companies for the last decade.
While companies were comfortable applying a Zero Trust approach to specific parts of their business, say finance or legal, it seemed way too complicated, error-prone and unnecessary in our pre-pandemic, on-prem lives to apply across the organization. Yet when businesses had to suddenly move to newly remote, digitally-enabled working environments it became clear that the “protect the fort” mentality of the traditional network security model was no longer relevant.
With Zero Trust, all users — including those inside an organization’s enterprise network — are authenticated, authorized, and continuously validated before being granted or maintaining access to applications and data. This means one-time validation doesn’t cut it. Hence the need for technologies and security measures, such as advanced anti-malware, integrity monitoring, authentication technology, data encryption, and multifactor authentication.
There’s a tremendous upside to leaning into Zero Trust. Despite what our ethos once dictated, many of these SaaS tools are natively more secure than on-prem storage. Even more, these tools are often much more user-friendly than the VPNs we once required. And when users are happier, they’re far more likely to carry out compliant behaviors than search for workarounds or not access at all.
Yet the benefits of Zero Trust extend beyond changing how businesses think about and manage security. The inherent nature of an organization-wide approach to Zero Trust can actually drive better business outcomes. Here are four ways how:
1. Reduce the time and cost of compliance.
An audit with 500 controls in scope versus 100 controls will take much more time and resources to audit – and it’s going to cost a lot more to do so.
By nature, Zero Trust networks are segmented. This means that companies can automatically reduce the scope of regulations and compliance audits because only required network segments are in scope for regulations once it’s been segmented. When companies spend thousands of dollars on audit fees, the money it can save on external auditor fees, as well as the time it gives back to internal resources, adds up fast.
2. Integrate security and compliance.
At most organizations, IT specialists have their own unique set of priorities across networks, operations, storage, and security. With the inherent visibility and transparency of a Zero Trust network, when security incidents or network outages occur, they can work more cohesively and efficiently to resolve issues.
Additionally, with Zero Trust, compliance teams can see what’s happening at the security level, making security and compliance a more integrated function within an organization. For instance, if a system goes out of compliance at a bank it can make sure security knows about it in real time. Now the company not only reduces risk, it can ensure that its systems are compliant and secure at the same time.
3. Empower digital transformation.
How many more times do people have to hear about digital transformation? It’s the most overplayed buzzword of the decade. But there’s really no way to skip its significance, especially now, when the majority of our workforce has gone digital.
It’s hard enough to transform business processes and employee behavior, let alone implement new technologies with the right privileges and data protection without holding up work. The segmented nature of Zero Trust means that security teams can support the introduction of new services without disrupting the business as a whole and increase the adoption of connected devices with greater visibility. This results in improved operational control and network security.
4. Better secure the business — and it’s future.
Nobody wants their company in the news for a massive breach. Such data breaches are devastating to any business and increasingly common. It’s become very easy for hackers to inject malware onto an employee’s computers within the firewall, leading to data exfiltration. The consequences are dire: stolen identities, loss of intellectual property, damaged reputation, and enormous costs to clean it all up.
The continuous verification and validation of Zero Trust makes it harder for the bad guys to penetrate. And while embracing Zero Trust will require educating the workforce, it’s not that hard to take the extra step, certainly not when compared to the negative consequences of not doing so. Plus, it helps build a greater awareness of risk and fosters a culture of security across the organization.
For those who thought Zero Trust was a stopgap until business could resume as usual, think again. While some organizations may have stumbled upon a Zero Trust model in their application of overnight remote access, according to the National Association of Business Economics, only about one in 10 companies expect all employees to return to the physical office. As technologies to support Zero Trust continue to move into the mainstream, adopting, refining, and committing to a Zero Trust model will not just transform how the company thinks about and manages security: it will actually transform the business.