Digital transformation means that every organization’s network, and the way they perform daily business, is shifting. As organizations increasingly adopt cloud computing, mobile devices, and the Internet of Things (IoT), traditional security models and solutions are no longer effective. This has driven a switch from an ineffective, perimeter-focused security model to adoption of zero-trust security.
At the core of zero-trust security is identity management, and zero trust requires security solutions that integrate identity into every part of an organization’s cybersecurity strategy. This need for identity-focused security is why secure access service edge (SASE) has been labeled “the future of network security”.
Limitations of the Perimeter-Focused Security Model
Historically, many organizations have a cybersecurity deployment based on a perimeter-based security model. Enterprise local area networks (LANs) are typically made up of a set of devices owned by the organization that connect to the public Internet via a single link. By deploying an array of cybersecurity solutions at this point of connection, these organizations can keep a large percentage of malicious traffic from ever entering the inner network.
Unfortunately, this is not a valid security model, especially for the modern enterprise. This model makes several invalid assumptions.
- Nothing Enters Except Through the Firewall
Perimeter-based defenses are designed to protect the enterprise at the network perimeter. The assumption is that any attacks against the organization’s systems must pass through this point of connection. However, this assumption has never been true. Removable media, such as floppy disks and USB drives, has always made it possible for malicious content to bypass an organization’s perimeter defenses. The rise of laptops and other mobile devices, which hop between trusted and untrusted networks, have only exacerbated the threat of malware sneaking past an organization’s perimeter-focused defenses.
- The Firewall Can Block All Attacks
A crucial component of the perimeter-focused security model is the assumption that the organization’s existing security deployment can block all potential attacks. Otherwise, it is necessary to deploy additional, internal defenses to identify and block threats that make it through the perimeter defenses.
As cybercriminals grow increasingly sophisticated, this assumption becomes less and less valid. Cybercrime is a profession, and professional cybercriminals have the time, knowledge, and experience to identify holes in an organization’s defenses. For most organizations, a breach is not a question of if, but when.
- Everyone within the Network Is Trusted
A perimeter-focused cybersecurity strategy assumes that all attacks against the organization will come from outside. With this assumption comes the belief that everyone with access to devices inside an organization’s network can be trusted.
However, this is rarely the case. 94% of organizations give third-party partners access to their networks, and 72% of these accounts have elevated permissions. Even assuming that an organization has no disgruntled employees or untrustworthy partners, these third-party accounts could give an attacker legitimate access to an organization’s internal network via a partner’s compromised account.
The Importance of Identity Management in Zero-Trust Security
The issues with the traditional, perimeter-focused approach to security have resulted in the creation of a new security model. This new model, called zero trust, is designed to eliminate the assumptions that leave users of the perimeter-based model open to attack. The logic behind the zero-trust security model is nothing new. Governments and militaries around the world have long operated on the concept of “need to know” when managing access to sensitive or proprietary information.
Zero trust applies this same concept to access to sensitive data or resources within an organization’s network. Unless a user has “need to know” for a piece of data or “need to access” for systems and other resources that is based upon legitimate job roles and business needs, then they are denied access to that data or resource.
The ability to assign certain permissions to a user, based upon their duties, is a crucial part of zero-trust security. However, this is dependent upon the ability to determine the identity of a user in the first place. If a security system cannot reliably identify the device from which a request originates and the user making the request, then enforcing security controls based upon a zero-trust model is impossible.
Implementing Zero-Trust Security with SASE
A mature cybersecurity strategy, based upon a zero-trust security model, requires integration of identity into every component of an organization’s network and security infrastructure. A truly “zero trust” system must be able to track and verify the identity of a user, and the device that they are using, throughout the entire access lifecycle. This awareness and understanding of identity is a crucial part of SASE, which is one of the reasons that Gartner calls it “the future of network security”.
SASE acknowledges that the “center” of the enterprise network is shifting. While, in the past, an organization’s resources were largely located within the corporate LAN, digital transformation means that the majority of users and devices are moving to the outside. This is a major driver for zero-trust security since, now, the “good guys” and the “bad guys” are both coming from outside the enterprise network. SASE moves security outside the network as well, hosting it in the cloud and building identity into every stage of the process. This helps an organization adapt their security to meet modern business needs by removing a reliance on perimeter-based defenses for users and endpoints operating outside of that perimeter.
Author | Emily Forbes
An Entrepreneur, Mother & A passionate tech writer in the technology industry!