How to Augment Your Defense-in-Depth Strategy with Zero Trust

With digital transformation high on most leadership agendas, the need for a well-defined and forward-looking security strategy is key. The many operational benefits of IT may make your organization more efficient, but the growing cybersecurity risk means a strong security posture is required to prevent your systems from falling prey to the cybercrime disasters that appear regularly across the media.

Whatever the terminology used, IT security needs to protect the network, cloud, data center, users, bots and all the data and communications that pass between them. In modern security, identity and trust are the key issues leading to a rethink in organizational security, on top of the traditional next-generation firewall and other security tools. But how is Zero Trust important in a balanced equation with deeper defenses?

The changing face of IT security

With recent global changes, IT security has been about about enabling productivity anytime, anywhere, while lowering friction for users who work on almost any network, a multitude of devices, corporate and personal apps and data stored everywhere. But from developers to accountants and admin, every end user comes with a range of weak points, enabling hackers breach opportunities across the enterprise.

At best, these cybercriminals are looking for a weakness to exploit to access some valuable data or make easy money - and will go away if they can’t find it. At worst, a state-sponsored cybercrime gang can trash your whole business by encrypting key data for ransom or selling your data creating massive reputational and financial risk.

To deflect their attacks, IT security has been focused on defense-in-depth, protecting the perimeter of the network, the data center, devices and users with different applications at each point, making it tricky for hackers to break in. But the real security focus of an enterprise security strategy should be a full understanding of identity and the access granted to that identity - both human and bot, as these are areas where the hackers prosper.

Each business will need a clear and well-defined security strategy that suits the current and future state of the company. As part of that solution, Zero Trust now plays a key role in reducing the success or impact any breach can have.

What is Zero Trust?

A decade-old concept that foresaw the weakness in traditional IT security, Zero Trust’s time has come in the modern cloud-based, high-volume-traffic, data-dependent organizations that span the globe.

Simply put, Zero Trust means never trust, always verify, which moves beyond the idea that every user with a password on your VPN is a good worker or bot with a pure heart or electrical signal.

The benefits of Zero Trust, when used as part of a defense-in-depth strategy, are that the damage from any breach is minimized and rapidly identified at source because Zero Trust eliminates vulnerable permissions, unnecessary and excessive access, in favor of specific-rights delegation and provisioning with granularity.

Adding yet another layer to defense-in-depth, Zero Trust requires a thorough understanding of the IT, user and access footprint. To give IT the best view across the enterprise, an identity governance solution empowers the enterprise to control permissions and set policies that protect the organization, users and assets in the way that best serves company objectives. With internal job changes causing access rights updates, just-in-time changes within a dashboard can speed up the employee provisioning process lowering friction and increasing productivity. And, once the policies are established, governance with a Zero Trust methodology becomes a pivotal part of IT security.

What is defense-in-depth?

As discussed, defense-in-depth creates a layered approach to protecting a business and its IT assets. As enterprises grow and consume massive IT resources, it’s necessary to automate the protection of the business as huge volumes of data cross many networks and interact with many users.

The benefits are that when one weak point fails, there are others to back it up, but even a strong defense can be breached, with IT teams feeling overly secure with their new security apps one of the drawbacks. And, even though providers release daily updates, there’s always the risk that one zero-day exploit or a collection of them can be used to smash through much of that defensive posture.

How Zero Trust and Defense-in-Depth can work together

Typically, the best practice is to use both solutions. With Zero Trust, and its close cousin Identity Access Management (IAM) as part of expanded defense in-depth, the business is better positioned to avoid external threats, internal bad actors such as rogue employees, and other risks.

The challenge here is that a vendor might not offer Zero Trust or related identity-based service as part of their package or solution. But overcoming that to deliver a better solution is more important than the marketing or vendor pressure to adopt something that could find itself less able to protect your business as the threat landscape changes. Hackers are always looking for new exploits, but user trust and identity remain constant points of access that must be defended, whatever the other security elements of a defense-in-depth solution offer.

Avoid the marketing drumbeat, and instead look at how a comprehensive solution of a unified platform approach can better protect the business and help support the IT security team as they face a constant and growing battle against new threats.