Cybersecurity: No Unprotected Access Points with Zero Trust.

«Trust but verify» was the IT security motto in many companies over many years. But the creed of trust that can be secured with control is no longer valid in today's cybersecurity environment. The current IT security watchword is «Zero Trust». This is not about a specific technology, but rather a concept. It means that users, devices or applications are not to be trusted any more - even if we know them. Forrester defines Zero Trust as follows: «Zero Trust is an information security model that denies access to applications and data by default. Threat protection is achieved by granting access to networks and workloads only on the basis of policies that are based on continuous, contextual, and risk-based auditing of users and their connected devices».

Zero trust - in order to create trust

Needless to say, Zero Trust is often misunderstood. This is not surprising, since the ultimate goal is to check and evaluate all participants and risks in a company's IT system - not just once, but continuously. This means no longer viewing your entire corporate network as an implicit trust zone, and not considering any resource or endpoint as trustworthy. But employees, partners, and customers whom you authenticate for this reason are just as protected by Zero Trust as your corporate IT infrastructure. As the digital world becomes increasingly dangerous, Zero Trust measures inspire confidence[i].

The Zero Trust philosophy first surfaced about ten years ago. The Corona pandemic and mass relocation to the home office revealed significant security gaps, especially when it came to decentralized environments, i.e., the use of end devices in conjunction with the increasing use of the cloud. Hybrid cloud infrastructures lead to IT resources being decentralized; monitoring is often not a simple matter. As a result, traditional perimeter security is no longer sufficient; zero-trust models are getting a boost. This is reflected in market statistics. The global zero-trust security market was estimated at around 20 billion US dollars in 2020. Today, two years later, it is already 27.4 billion, and by 2027 the market is expected to rise to 60.7 billion US dollars, with an annual growth rate of 17.3 percent[ii].

Security without a network edge

In the Zero Trust philosophy, there is no network edge. Networks can be anywhere, on-premises or in the cloud or both, just as team members can work with their resources anywhere. However, according to IBM, more than half of all organizations are still unable to secure data used across multiple cloud and on-premises environments - which can significantly constrain value creation. A majority are also unable to securely enable and extend new cloud-native capabilities to their internal and external partners. On the other side of the coin are those companies that are ahead of their competitors when it comes to deploying Zero Trust capabilities. According to a study by IBM's Institute for Enterprise Value in collaboration with Oxford Economics, they spend a similar percentage of IT budgets and resources on cybersecurity as their peers, but derive more benefits from it. In other words, these companies have not increased their capital and operational expenditures on security with Zero Trust while increasing their cybersecurity effectiveness.

From philosophy to principles to architecture

Zero Trust provides the framework for securing modern IT infrastructures. It shows how to secure remote workers and hybrid cloud environments and how to protect against specific threats. There are various definitions of Zero Trust (see above). However, the standard is set by the U.S. National Institute of Standards and Technology (NIST) as follows: «Zero Trust is a collection of concepts and ideas aimed at minimizing uncertainty in making precise access decisions with the least privilege per request in information systems and services. The Zero Trust Architecture (ZTA) is an organization's cybersecurity plan that uses zero trust concepts and includes component relationships, workflow planning, and access policies.»

Zero-trust architecture thus grows out of the zero-trust philosophy. Zero trust principles are observed. According to NIST, these are[iii]:

• All data sources and computing services are considered resources.
• All communication is secured - regardless of the network location.
• Access to individual enterprise resources is granted on a per-session basis.
• Access to resources is determined by dynamic policy - including the discoverable state of  client identity, application or service, and the requesting asset - and may include other behavioral and environmental attributes.
• The enterprise monitors and assesses the integrity and security posture of all owned and associated assets.
• All resource authentications and authorizations are dynamic and strictly enforced before access is allowed.
• The enterprise gathers as much information as possible about the current state of its assets, network infrastructure, and communications and uses it to improve its security posture.

Zero Trust infrastructure is based on state-of-the-art technology

In implementing the above principles, applications for protecting cloud workloads, multi-factor authentication, and securing endpoints, among others, are used. In addition, data must be encrypted, email must be secured, and devices must be inspected before they fit into a zero-trust environment. At UMB, we can provide both the technology and the necessary know-how for this, and we also have the necessary partners. IBM, for example, where Zero Trust is also a central topic[iv]. UMB is the first and largest IBM Platinum Business Partner in Switzerland. At UMB, we holistically implement the Zero Trust concept based on various technologies and process approaches. We view cybersecurity as an integral discipline in the IT landscape and understand the challenges of a rapidly changing world. At UMB, cybersecurity is not viewed in isolation, but as part of IT, workplace and digitalization concepts. Two factor authentication, multi factor authentication, conditional access and identity protection: we support you in these and many other security areas. We also provide first-class web security through leading edge endpoint protection and storage and data encryption.

Want to know more about the Zero Trust concept? Please contact us.

[i]Cybercrime To Cost The World $10.5 Trillion Annually By 2025  

[ii]Zero Trust Security Market worth $60.7 billion by 2027

[iii]Zero Trust Architecture

[iv]IBM Zero Trust Field Guide