Zero Trust: If You Wait, It Could Be Too Late

Today, any guidance you get about data security will almost certainly include the recommendation to adopt zero trust. 

It’s good advice. It makes sense that anything accessing your network should be verified and that no device should be trusted by default. But acting on that advice isn’t just a matter of installing a piece of software: Creating a true zero-trust environment requires a complete rethinking of the traditional approach to IT security. In short, zero trust is an all-or-nothing proposition. If you’re simply adding new protections to an existing architecture, you won’t achieve the security posture created by zero trust—no matter what the vendor might tell you.

To understand why, let’s look at the industry’s past assumptions about IT security. For decades, organizations were adequately defended by the castle-and-moat approach to data protection. Under that model, it was accepted that any threats to the enterprise would come from outside the organization, never from within. Anyone permitted to cross the drawbridge and enter the castle was assumed to be trustworthy and would have little difficulty accessing any data or systems within.

Of course, that model is hopelessly inadequate for dealing with the realities of the modern enterprise. Your data might be spread across multiple cloud vendors, and your workforce might be logging in from anywhere in the world. Plus, that workforce could include contract personnel with no particular loyalty to your organization. To make matters worse, the pandemic-driven move to working from home means that today’s castle is effectively empty. In short, there’s no way to create a secure perimeter in today’s IT environment. Zero trust responds to the problem by understanding that threats to data exist both within and outside the network; nothing is trusted by default.

A true zero-trust environment relies on a range of technologies and practices, including multi-factor authentication, identity access management orchestration, analytics, encryption, scoring and file system permissions. It also calls for policies that block users’ access to any data that isn’t necessary for their jobs.

Because zero trust differs so fundamentally from traditional security, retrofitting old systems won’t work. And since zero trust involves multiple technologies, the implementation process can be complicated. Google has simplified the path to zero trust through its BeyondCorp Enterprise product. BeyondCorp provides secure access to critical apps and services while safeguarding your information with integrated threat and data protection. It’s a fully scalable solution that heightens your visibility into unsafe user activity. And because BeyondCorp is agentless, it simplifies the zero-trust experience for administrators and end users alike.

Competent IT security starts with anticipating how threats will evolve over time. Between everyday cybercriminals and state actors, the inventiveness of the hack attempts is certain to grow. In an age where ransomware is available as a service, protecting your enterprise calls for a radical rethinking of your security posture. A zero trust architecture is an obvious place to start.

Pythian is a Google Cloud Premier Partner and MSP, with Google-certified engineers across multiple Google Cloud solutions. Security is in our DNA. As a global IT services company, Pythian provides a robust security framework, secure connectivity, experience in regulatory compliance and additional offerings in privileged access management. Visit our Data Security services to learn more.