Here’s how zero trust can help organizations without impeding productivity
The shifting cyberthreat landscape continues to be one of the greatest challenges organizations face today. The only constant we can rely on is that year in and year out, cyberthreats will continue to increase exponentially in both quantity and scope.
It is imperative that organizations understand the potential risks and how they can defend against them, because existing approaches to current cybersecurity strategies are simply too little and too late. According to the Cybersecurity Ventures’ “2019 Annual Cybercrime Report,” annual cybercrime costs will reach $6 trillion worldwide by 2021.
Introduced almost a decade ago, the concept of zero trust can be encapsulated as “trust no one, verify everything.” Ultimately, those using the web for both professional and personal purposes should not trust anyone or anything to access their network, whether it originates externally or from within, but should rather verify that every request—and requester—is legit. This approach is being adopted widely by IT teams seeking to improve their organizations’ cybersecurity posture and is supported by a multitude of new micro-segmentation solutions that have been created to enable implementation.
The zero trust approach promotes enforcement of granular security policies that allow organizations to control the visibility and communications that are—and are not—allowed between all network access points and individuals. All devices, networks and IP addresses are micro-segmented and individual access is restricted to conform with security and user authentication policies.
Micro-Segmentation and Authentication
Implementing micro-segmentation and authentication processes is a complex, multistep process that requires complete understanding of network traffic patterns, user permissions and responsibilities and application usage. IT teams must map large numbers of data access and processing requirements across every individual in an organization and each device that is used, including third-party actors. Minute changes to authentication processes or missteps in the configuration process can have a negative impact on the user experience and significantly hinder productivity. Whenever employees, devices and processes are either added or removed, policies and permissions must be updated and managed. Thus, zero trust requires ongoing updates, adjustment and fine-tuning.
Do Zero Trust Organizations Really Trust No One?
Surprisingly, there is one major area of risk that is not covered by the zero trust toolkit. Web browsing plays an integral role in today’s business environment and, together with malicious email, is the most common and effective vector through which malware enters and penetrates organizations. No matter how segmented your network is, browser-based malware such as ransomware variants, cross-site scripting attacks and drive-by downloads will not be prevented from entering and establishing a foothold in your network.
Zero trust advocates recommend whitelisting trusted sites while denying access to all other sites as a solution. However, this notion of restricting access to all but known-to-be-needed sites negatively affects productivity and frustrates employees. Users must repeatedly request access and stand by while their requests are addressed, and IT staff is required to handle a constant stream of access requests.
Even if organizations could accurately whitelist every site to which users might need access, there is no assurance that those whitelisted sites are indeed safe. Even the most reputable sites have unknowingly run malicious ads or suffered malware infections. While URL filtering, anti-phishing software, web gateways and other detection and signature-based solutions can stop most attacks most of the time, they operate based on the assumption that a secure perimeter can be established by identifying and stopping malware before it gets in—an assumption that has been proven wrong time and again.
For absolute impenetrable security, no website should be trusted automatically. Yet, for businesses to function smoothly, users must be able to access the sites that they need quickly and easily.
Zero Trust for the Web
Remote Browser Isolation (RBI) is based on the premise that nothing from the web is to be trusted. Every download, website and piece of content is deemed suspicious. With RBI, all browsing happens remotely, on a virtual browser in a disposable container located in a DMZ or in the cloud. A clean content stream sent from the remote virtual browser to the user’s browser of choice on the endpoint enables natural interaction with all websites and applications in real time, without the hassle and annoyance of access requests. Once the user is done browsing, the container and all its content is disposed of. No website content ever touches user devices or the networks to which they are linked.
Remote browser isolation brings the zero trust concept to browsing by trusting no website to touch organizational devices or networks. It prevents browser-borne executable code from reaching user devices or organizational systems and proactively isolates all threats, known or unknown, where they can do no harm.