In a tumultuous world, cybersecurity is of increasing importance and whoever does not pay enough attention to it will sooner or later find themselves in the role of the victim as their data will be stolen by criminals. Under changing circumstances, security – especially digital – can no longer simply be something that the IT department must deal with but must instead be a topic on the agenda of every manager. Implementing the Zero Trust model is an important cornerstone in ensuring a higher level of security.

Right now, it is fairly common for the employees of a company, whether working in the office or remotely, to be able to access data stored in the cloud with their own password, for a VPN to be mandatory when using various business applications, and for some software or databases to be accessible only via specific devices. But Gartner predicts that in 2,5 years’ time, 80% of companies will allow access to their web and cloud-based services as well as their private applications only via the SSE (Security Service Edge) of a single service provider’s secure platform. This is a much more efficient and secure method to use as it involves less parties and a smaller number of points where data is decrypted, checked, and re-encrypted.

Compared to the current approach, Gartner’s prediction would bring about a fundamental change. In layman’s terms, the intranets of most companies right now function like central asset repositories where all of a company’s valuable and sensitive data and applications are stored. To provide employees remote access to the company’s internal systems, their device traffic gets routed through this central asset repository. Understandably, such an approach is not completely secure.

When implementing the Zero Trust security model, the central repository is divided into isolated pieces and access to these pieces is checked by so-called security locks AKA the SSE service. In addition to that, the SSE also checks where the request for access is coming from, what actions are requested to be made, what rights the user has, the security level of their device etc.

In companies where the Zero Trust model has been correctly implemented, there no longer exists one single intranet and all employees who meet the criteria set by the company are able to securely access only the data and services that they have been given access rights to. And they can do so over a public network connection, even the public WiFi network of a café. This also removes the issue of networks being overloaded, which a lot of companies came up against during the beginning of the COVID pandemic. Additionally, network services configured in this manner are not visible to outsiders or in other words, potential attackers.

Zero Trust

The creation of a more secure environment should start with the implementation of the Zero Trust policy, which Gartner has also emphasised by predicting that by 2025, Zero Trust will be the starting point for the security setup of 60% of all organisations. Further solutions can then be built upon that. At the same time, Gartner also warns that more than half of these organisations will be unable to reap the benefits of Zero Trust as they will be stuck in their old ways of thinking and beliefs. Unfortunately, this is already also confirmed by ADM Cloudtech’s experience in both Estonia and abroad – despite security being of increasing importance, most business managers and even whole IT departments are still incapable of understanding the value to be gained from Zero Trust.

True, Zero Trust is not a miracle solution but a large-scale change that can only be successfully implemented if a company’s board considers it to be important enough and clearly supports it. Zero Trust is not just Zero Trust alone but a vision for the organisation and its success is dependent on the organisation’s pre-existing culture completely changing. The IT department can provide valuable technical support in the implementation of Zero Trust, but nothing more – the decision to implement it in the first place must come from a business manager.

On a related note, cybersecurity is currently moving from being a topic for the IT department to the desks of managers and board members. This is because security in any company is directly connected to its business and any risks that may affect the continuation of that business. This applies to not only Zero Trust but also to things like ransomware. If preventative security measures have not been enough and criminals are able to encrypt a company’s data and demand a ransom for decrypting them, then the decision of whether to pay the criminals will not be made by the head of the IT department or, an even less likely scenario, by an IT specialist. It is a business decision that must be made by the company’s business manager. In the case of ransom negotiations, Gartner recommends involving both the company’s security incident department and lawyers as well as the police.

Since security risks have long stopped being simply technical, Gartner predicts that in less than four years, this knowledge will have become much more widespread and that the contracts of more than half of all senior managers will include KPIs such as risk and security management. As a result, the responsibility of how cyber risks are managed should move away from the IT department and into the boardroom AKA where it actually belongs.

The article was published in ITuudised on 20th of July 2022.