by Marc Lueck, Zscaler CISO, UK and Northern EMEA
Several forces have changed the way IT and the CISO think about network security and have also brought about the rise of a new model, identified by Gartner as zero trust network access (ZTNA).
Ransomware and other malware, phishing and its variants, identity theft, and, of course, the steady drip of exposed vulnerability exploits make today’s IT landscape challenging and the role of the CISO increasingly complicated. It’s an arms race that, by definition, we are always going to lose.
And why is this? Why is it that the simplest apparent solution to this mess - the reduction of our threat landscape and our exposure to the big nasty outside world - is hampered everywhere we turn by the changing of IT on what seems a daily basis?
In truth, it’s because organisations barely control IT anymore.
Whilst IT tools were once provided and controlled by a group of specialists in the IT department, or MIS before that, employees now play a much larger role in determining which tools are used. Indeed, IT was formerly considered in the same vein as the office building and the furniture in it. IT services and applications were provided for employees to consume, but those employees had no choice or control over how, what, or where they used them at work. However, with the cloud and services delivered from it, we have witnessed the democratisation of IT within the workplace over the past 10 years.
The primary reason for this shift is the increased proliferation of technology in people's lives. Because of this shift, user expectations, as well as IT, have evolved. With advances in technology, the growing reliance on the internet and the rising popularity of social media, IT has steadily become an extension of people’s lives, and this has impacted individuals’ expectations of how, when, and to what extent they access technology.
In the past, IT was associated only with the working environment and therefore limited to the boundaries of the office space. Today, it is also a part of people's home and social lives. Individuals increasingly expect to use technology at home, in the office, on the bus, or at the shops, and they want their IT experience to be seamless—switching between business and private use of IT “on the go.” Furthermore, they not only want but expect to be able to fully control and customise their IT experience on whichever device they use to access applications. In other words, they demand the right to decide for themselves how to use IT.
IT has become more than just a tool to access or organise information in the workplace. It has become the tool employees use to complete nearly all aspects of their jobs. From staff communication and document generation to team organisation and enterprise management, nearly everything resides at some point within a company’s IT suite. As organisations increasingly rely on IT, it has fast become a core part of the personality of an enterprise as well as of its business model.
The lines of corporate and personal IT have blurred
The concept of a PC at a desk is not dead but has vastly changed with the introduction of the smartphone. The bring-your-own-device (BYOD) phenomenon, although still not playing a major role in actually replacing corporate-supplied IT, has played a significant role in blurring the lines between work and personal life. Following the launch of smartphones - led by the release of Apple’s trailblazing iPhone more than a decade ago - attitudes about technology in the workplace have evolved. BYOD and its influence have provided IT teams with an efficient, manageable strategy that satisfies increasingly demanding employees who want to use their own devices.
From the employee’s perspective, as well as the company’s perspective, there is no denying the benefits of a more mobile workforce. However, mobility has brought a new challenge for IT departments that are required to safeguard confidential corporate information. Whether it’s their own iPhone or one issued by the company, employees will likely use the device for personal activities in addition to work. They will be downloading and accessing applications and using personal online logins and Apple IDs, all of which raises the very important question of control.
Fifteen years ago, employees could do little to customize their work devices aside from updating their screen savers. But now, employees want to customise their interfaces in different ways. As a result, each device will have different apps, notes, and documents, depending on what applications the owner chooses to use. We are seeing that enterprises are letting workers decide how they manage their working life, as they are looking more for a set of outcomes, rather than giving them the tools only. Employees now have far more say in how they use these tools. But, what does that mean from a security perspective?
The rise of zero trust networking
From a bottom-line perspective, it is great to see employees being empowered, but the risks that these changes in IT consumption bring along can’t be overlooked by enterprises. It’s a difficult balancing act between the democratisation of IT and new security risks that have been introduced by this change. The reason risk has been increasing throughout this process of change is that businesses have historically trusted the IT and/or the employee when exposure to the internet and its dangers was limited. This, however, is a false sense of trust in the era of the cloud, where the internet has become the new corporate network. It’s no longer wise to trust a piece of IT because it’s in the right building and built by a particular team. And it’s impossible to trust that an employee would not slip up and incorrectly follow a process.
When accessing corporate assets, which now reside in private and public clouds as well as in the traditional setting of the corporate data centre, it is crucial that the device and person making the request to access these assets are verified, regardless of whether they are sitting inside or outside of the network perimeter. Unlike the traditional castle-and-moat concept, which trusted anyone inside the perimeter, the zero trust network access model requires strict identity verification from anyone attempting to reach corporate resources.
The concept of “zero trust” is a powerful paradigm shift, but it is no silver bullet. The threat landscape will continue to evolve, and we in the business will continue to keep up with, but never win, the arms race between enterprises and those attempting to monetise our assets and capabilities for their gain. A wide range of controls in process, people, and new and existing technologies will be required to continue to meet the threat. For businesses, it’s impossible to negate the democratisation of IT. As such, organisations need to give their employees the control and access they demand while ensuring they are moving protection toward the user and away from IT. One of the most important things to maintain is awareness and understanding of that environment. The modern CISO must keep abreast of the way employees, or maybe “corporate citizens,” are using IT, and how the enterprise is shaping its response to the changes happening every day. Only by maintaining this awareness, and adjusting our position to match it, can we ensure the best possible outcomes for our companies.
Technology is supporting this effort as we today have the methods to provide access and control based on an individual employee level. Zero trust network access will play a significant role in this new world of democratised use of IT, as it will give IT departments back the sense of being in control of their network traffic and a heightened security posture at the same time.
Learn about the Zscaler zero trust network access solution, Zscaler Private Access.
Read the Gartner Market Guide on zero trust network access (ZTNA).