What Is Perimeter Security?
Before Zero Trust, most organizations relied on corporate-issued devices running on the local network. Most IT security models were based on protecting an internal, trusted network that was connected to an external, untrusted network. This security model is referred to as ‘perimeter security’ and it is a style of defense much like the medieval castle: something that made perfect sense in its time. Organizations built their (fire)walls and other security measures to keep non-authenticated users out. In this model, everything inside of the castle is yours. You don’t want outsiders using your things, so you put in a portcullis and a moat, to regulate who gets access to your stuff. Which means whoever has the key, that person can come in and do whatever they want inside your castle walls.
In this model, everything that is inside the castle walls is automatically trusted. If a person is inside the castle, that means this person has full access to all resources. Because they are on the inside, we trust the user based on where they are and not who they are. If you are inside the network, you are one of us; and, if you are outside, you are one of them and don’t get access. This model worked well for a long time; however, operating realities have changed and the perimeter has been blown away with the advent of Cloud-based services, remote workers, and bring-your-own-device policies. It’s a brave new world where we no longer have a well-defined network perimeter, and we need to adapt our security models to the new operating reality.
Enter Zero Trust: The New Security
Zero Trust is a security architecture that moves away from inherent trust in the network, or put another way: just because a device is on the internal side of the firewall, it should not be automatically trusted. Instead, zero trust evaluates each transaction individually by developing a context for each request by assembling a number of data points on the user, device, network, and session that can give the confidence needed to grant the user access to a resource.
One of the key tenets of Zero Trust is that each individual resource has its own security protocol with the ability to authenticate and authorize based on the identity provider. This model is all about consistently enforcing access controls based on the continuous re-evaluation and application of security policies. This approach reduces the severity of a breach if a user’s credentials are compromised by re-evaluating security policies and shutting down untrusted transactions, devices, etc. Zero Trust focuses on active monitoring, granular risk-based access controls, and automated risk mitigation to protect data and other digital assets in real time.
Cyber Threats Are Real, And Here Now
Cyber threats are growing in number and are becoming more sophisticated. The traditional security perimeter is an antique, and the future lies in adopting a zero trust architecture to support the reality that users can (and will) work from anywhere. Zero Trust offers a scalable-model that continuously verifies security posture and compliance, while enforcing least-privileged access. The good news is that there is a new generation of tools that embrace the Zero Trust design by default, so getting there is easier than ever before.
Want to find out how to integrate Zero Trust into your organization’s network security plans? Talk to Idenhaus about the possibilities, to find out what Identity and Access Management pathways may be best for your organization going into the future. Contact us today to get started.