Why Zero Trust is the Future for Corporate Security
By Gene Frantz, general partner at CapitalG, and James Luo, vice president at CapitalG.
Cybersecurity has long been a business imperative, but last year’s COVID-induced plunge into widespread remote work followed by the massive security break into U.S. government agencies and private companies catapulted security’s importance — and urgency — to a fever pitch.
Here’s how the events of 2020 killed the traditional security framework and how zero trust can save enterprises from having to feel the same pains ever again.
The problem with perimeter-based security (and why we don’t live in castles today)
For decades before the rise of cloud infrastructure, archetypal cybersecurity architecture was analogous to rigid walls guarding a castle interior. Anyone on the outside of the walls was blocked from accessing the assets inside, while anyone on the inside enjoyed free reign to move as they wished.
As hackers became more sophisticated and found ways to breach those castle walls, IT and security teams responded by layering on new defenses to safeguard the perimeter in the form of firewalls, sandboxes, intrusion detection and prevention systems. But these enhancements had their flaws.
Once the wall was breached (which inevitably happened as no defense is 100% perfect), bad actors largely gained free rein of the castle and everything inside. And the second major flaw: as enterprises piled on solutions to the perimeter, their defenses grew extremely complex, creating an unmanageable and ultimately less secure IT environment.
Many insightful IT and security leaders saw the writing on the wall and mapped out long-term roadmaps to transition to scalable, modern security architecture.
Then COVID struck.
In a matter of days, remote work and remote access to applications and data became the base requirement for millions of employees worldwide. Hackers jumped at the opportunity. Cybersecurity companies saw a 100x rise in COVID-themed malware.
While many companies enacted short-term solutions like augmenting VPN bandwidth and increasing remote network capacity, the pandemic dramatically accelerated the need for businesses to replace castle walls with solutions that were more secure, more intuitive, and better equipped for the future.
The way companies built their castles was changing. So was the idea of trust.
Zero trust: a solution built for a world without walls
Major enterprises (like Google) have envisioned a new security paradigm based on zero trust. Instead of relying on the castle walls to grant access once and forever thereafter, zero trust constantly verifies users and devices at every point of access and grants limited point-to-point access only to specifically permitted resources.
In this framework, access is only granted if three requirements are met:
The user can verify their identity (through strong authentication)
Devices (endpoints) comply with corporate security policies (e.g., managed by IT, latest Windows patch)
Users and devices are permissioned to access the specific resources at the time of request
This approach lets employees access resources from anywhere while improving connection speed relative to VPNs that often significantly degrade performance. Multiple verification levels distribute risk away from a single, vulnerable point of failure that can be attacked, reducing vulnerability to bad actors and the potential of hard-earned credibility being destroyed.
As an example, while a zero trust framework would not have prevented the SolarWinds breach, it could have muted the impact of the vulnerability by limiting its spread throughout corporate and government networks.
The zero trust framework allows companies to create finer-grained policies that adjust verification requirements depending on the sensitivity of the resource being accessed. The time to transition is now.
The opportunities in the transition to zero trust
Shifting to zero trust requires integrating three core security components that have historically worked independently:
Identity Platform Solutions enable companies to manage user identities and access privileges with strong authentication (such as multi-factor). Example vendors: Auth0, Duo / Cisco, Forgerock, Microsoft, Okta, Ping Identity
Endpoint Platform Solutions protect endpoints (e.g., PCs, phones, servers) from malware and keep them free of unpatched vulnerabilities and compliant with corporate security policies. Example vendors: *
Network Platform Solutions aggregate perimeter security functionality and act as access proxies, enabling point-to-point routing between verified users and endpoints and target applications and data while blocking unverified traffic. The network platform receives user and device information from the identity and endpoint platforms and enforces access policies with context. Example vendors: AppGate, Axis Security, Cato Networks, Cisco, Guardicore, Netskope, Palo Alto Networks, Perimeter81, *
For many businesses, the past year has represented a “house is on fire” moment as the one-two punch of COVID and the SolarWinds exploit dramatically accelerated trends years in the making. While extinguishing the fires ignited by these two forces, security leaders must simultaneously begin “fireproofing the house” by reimagining their security infrastructure with a zero trust mindset.
The dissolution of a decades-old security framework presents significant opportunities for security entrepreneurs. The most successful zero trust solutions will be easy to implement, demonstrate fast time-to-value and integrate seamlessly with the security stack.
We’re entering a new generation of cybersecurity. Luckily, you’ve got the framework to keep your castle safe for years to come.
*indicates CapitalG investments