Only trust zero-trust!

The COVID-19 pandemic and resulting global lockdowns gave way to several months-long remote work arrangements. While some have started going back to their offices in varying capacities, a large number of organizations have preferred to play it safe and take the long-term work-from-home route. One of the primary challenges any organization faces whether working from office or remotely is security. While this was on the agenda for every business to address pre-Covid, the pandemic has made its importance even more evident.

Move over VPNs

Imagine this scenario: You have ordered a repairman to check on your washing machine, which seems to be broken.  When he arrives, would you hand over the house key saying: "the washing machine is in the bathroom, down the hallway passage, second door on the left," and then leave? Most of us will certainly not let him wander around the house unattended and will stay and keep an eye on the technician to check if he is doing his job. And yet when it comes to enterprise security, Virtual Private Networks (VPNs) are doing just that. Once a user logs in, the VPN lets them proceed without any restraint.

All the attacker has to do is gain access to an unsecured home office device or manage to get a remote user's credentials and the traditional VPN will give an all-access pass for them to roam the company network freely. Simply put, VPNs offer too much access. How does one then tackle this issue? Many enterprises have also found out the hard way that, scaling VPN’s from 5 percent of the user base to closer to 100 percent is not easy on the attendant infrastructure, elevates security risks and does not cover securing resources that are not on-premises elegantly, if at all.

The new frontier

With digitalization set to drive $6.8 trillion IT spending from 2020 to 2023, according to a recent analyst report,it is clear that businesses are looking to move towards better and more secure enterprise tech solutions. As ironic as it may sound, it is called ‘Zero-Trust’. Zero-Trust is neither a product nor a solution. It is simply the concept that trust between people and access must be constantly earned – never trust, always verify.

Zero-Trust is achieved through a collection of products that have zero-trust principles built-in or an intentional implementation of a framework, that integrates and provides a collective approach to achieve the business outcomes. Devices connecting to the network are inspected just as thoroughly, for example by checking ownership (company-owned, privately owned) or whether the patch level is up to date. At the same time, company data is protected by limiting access to the resources users actually need for their roles. Thereby causing a significant reduction in the surface of attack, Zero-Trust network access provides controlled access to organization’s resources.

Another interesting aspect of zero-trust solutions is the use of Machine learning (ML)to continuously monitor end-user and endpoint activities, comparing them to behavior patterns and company policies. A recent survey by a leading analyst firm also ranked India as the world’s most digitally dexterous country, with 67% of digital workers in India attributing emerging technologies such as machine learning (ML), artificial intelligence (AI), etc. to the increase in their work effectiveness.

A rising need

By extending security beyond the perimeter and abiding by the principle of least privilege in times when people can be working from the most remote of locations, the Zero-Trust approach is proving to be a lifesaver for most organizations in India and globally. A huge advantage in an industry short of skills, it also uses automation to help security teams focus on their most important tasks. For today’s world where, accelerated by the crisis, remote work has become the new normal, CISOs are turning towards the network-centric Zero-Trust.

A Zero-Trust network won’t simply hand over the house keys to the repairman, but first ask them for proof of ID. It will then lock any doors except that of the bathroom, knowing exactly where the technician is and what he is doing. And if he does anything suspicious, it will automatically inform the homeowner.

Ultimately in this day and age where data in paramount, the companies that are able to protect their data will be the ones who stay one step ahead of the competition. Therefore, when the work environment has moved beyond the four walls of the office, incorporating a zero-trust philosophy and providing adaptive access based on the appropriate level of risk is slowly turning out to be the sine qua non of modern security.

By Vijay Jayaraman, Director - System Engineering, India & SAARC, Citrix