At a theoretical level, implementing zero trust networking makes a significant amount of sense. Cybersecurity threats can come from anywhere—outside or inside the network, and even start in one place then move to another. Adopting a “Never trust, always verify” mindset can help organizations tamp down on application- and services-related vulnerabilities, thereby reducing friction for the rest of the organization. While the concept of zero trust is starting to catch on within the security community, the security program doesn’t (or shouldn’t) live inside a silo. Thus, security teams may have to justify why zero trust makes sense for the organization, especially if affected business unit leaders are wary of changes coming from the security team (and historically they have reason to be). Even if the network in question is cloud-based and therefore not internally managed, it’s helpful to be able to explain to colleagues what’s going on and why.
Below we’ve outlined the top business benefits of moving to a zero trust model, which may alleviate fears of potential negative impacts (that is, if you’re on the fence but looking for a more thorough way to secure data, applications, users, and hosts) and be used to garner support from business colleagues.
1. Decreases risk by discovering assets and improving visibility
One major blind spot many organizations have is knowing precisely what data they have, where they reside, and how they travel. After all, how can you secure it if you don’t know it exists? With the proliferation of mobile devices, IoT, and rapid and continuous deployment of new applications and services, IT and security teams are hard pressed to achieve 100% visibility (when using traditional address-based tools and techniques) on every data packet that traverses the network. With zero trust, however, any applications or services that attempt to communicate inside the network are first identified, then assumed inherently untrustworthy, and automatically disallowed from communication unless its identity fingerprint is verified. In this way, security, IT, and networking teams can use zero trust to understand what’s already on the network and what’s trying to get there.
Further, because data flows are mapped, a zero trust network provides better visibility into the network and associated risks. And what business leader doesn’t like to hear about reduced risk?
2. Gain greater control in your cloud environment
Security practitioners’ biggest and longest-held fears of moving to and using the cloud are loss of visibility and lack of control. Despite the evolution in cloud service providers’ (CSPs’) security due diligence, workload security remains a shared responsibility between the CSP and the organization using the cloud. That said, there is only so much the organization can affect inside someone else’s cloud.
Zero trust, though, was tailor-made for any type of network–including public or hybrid clouds. A zero trust network restricts communication by allowing only workloads verified by their identity fingerprint to communicate. Because zero trust is application workload centric (rather than perimeter or endpoint centric), security teams have greater control over the application workload itself. Any time a workload fails to meet attribute recognition, it is not allowed to communicate, which means attackers have a much harder time achieving east-west/lateral movement...the kind that’s so hard to detect in traditional network environments.
3. Achieve lower breach potential
Pursuant to the points above, because the zero trust model is focused on the workload, it’s easier for security teams to identify and stop malicious data-based activity. A zero trust network continuously inspects workloads for deviations from the intended state and prevents those which are unverified from communicating anywhere on the system—to and from command and control, and between hosts, users, or applications (and any combination thereof). Any altered application or service, whether it’s a result of adversarial activity, misuse, or accident, is automatically untrusted until it can be verified again through a set of policies and controls (which may be automated or manual, depending on the tools in use). Additionally, even when verified and approved, communication is restricted to a “need-to-know” basis, i.e., access is locked down to only the users, hosts, or services that fundamentally require access.
This inherent distrust results in decreased breach potential and therefore decreased risk, not to mention lower costs for cleanup and mitigation (since there are fewer breaches to handle).
4. Aid compliance audit initiatives
Every security pro knows that compliance ≠ security, yet that doesn’t eliminate the compliance burden. Auditors have the ear of executive teams, if for no other reasons than failed audits can lead to disruption and financial impact. Security teams, therefore, must play nicely in the audit sandbox.
Audits, for their part, aren’t meant to be the playground tattletale but the reality is that IT audits, in particular, are focused on highlighting technology weaknesses. This means that any problems with data access or the systems that maintain them are subject to scrutiny. Anything security teams can do to shore up weaknesses before an audit occurs not only smooths the audit process but also ratchets up protection.
With zero trust in place, auditors (and others in the organization) achieve clearer insight into what data flows the organization have and can see how workloads are communicating—securely—throughout the network. Zero trust mitigates the number of places and ways network communications can be exploited, plus results in fewer negative audit findings and less remediation for the security team.
5. Increase business speed and agility
Today’s businesses strive to operate at lightning speed, and address- and port-based security controls can be contrary to those initiatives. Whenever a port is blocked or a host is shut down because of a possible intrusion, for instance, employees are unable to access data or services required to do their jobs. When a breach occurs, multiple disruptions accompany it. If the development team goes to deploy an app and security says, “No, stop. That’s insecure,” release is halted (and frustrations flare).
The ability to move continually forward and pivot on a dime is a highly-coveted business goal, and a zero trust network allows that to happen because it works seamlessly in the background. Protection travels alongside the workload rather than at the security “checkpoint” (i.e., perimeter), meaning that any blocking or disallowed communication is isolated and interruptions to speed and agility are finite. In other words, in a zero trust network, security is not constrained by static network constructs that slow it down.
6. Alleviates organizational friction
Software and applications dominate business, and the formation of DevOps paved the pathway for today’s rapid development. The advent of containers and other dynamic, distributed development and staging environments environments has allowed DevOps teams to work even more efficiently but has introduced increased numbers of vulnerabilities which are near-impossible for security teams to manage with traditional controls.
In the past, security either tried to nose its way into the DevOps process or bolted protections onto already-deployed software, neither of which worked well. The problem with both approaches is translating application “speak” into network “speak; too much manual intervention is required and slows down what is meant to be an accelerated process.
Zero trust knocks out these issues by effectively enveloping applications in protection. As applications are deployed, they are assigned an identity fingerprint. Provided that fingerprint remains the same or matches that of an already-verified application, it is allowed to communicate freely. Changes or updates to the app don’t necessarily change the fingerprint—in the same way that a new outfit or visit to a new city doesn’t alter a person’s identity—which means that DevOps can conduct business as usual and not have to worry about security raining on their parade. In the sense that software and services create business opportunities, any approach security can adopt (such as zero trust) that tames tensions and aligns with business priorities—while introducing greater protection—is a win.