Technological innovation is reshaping the world faster than ever: workers are anywhere, data and applications are everywhere. As companies’ attack surfaces grow in size and complexity, their vulnerability increases.
Today’s security approach is to assume not “if” but “when” a breach will happen. The impact can be devastating — consider the consequences of these potential risks:
- Financial risk. Your company gets spearfished and approves a $2 million wire to an offshore casino.
- Compliance and regulatory risk. Lack of visibility into where and when sensitive data is being accessed puts you afoul of GDPR. Or HIPAA. Or CCPA. Or PIPL.
- Operational risk. The warehouse conveyor belts stop working. Company laptops are crypto-locked.
- Reputational risk. Your company receives negative news coverage because of an embarrassing cybersecurity incident.
The new perimeter is anywhere and everywhere
Traditional perimeter security is outdated; the old approach to check outbound and inbound traffic no longer works in our hyper-connected world, where data is widely dispersed and not trusted.
Today, the largest attack surface is people accessing network resources (not IT resources), and people make mistakes. Frequent headlines clearly demonstrate that the 20-year-old security paradigm of “trust but verify” isn’t working against the expanding threat landscape and sophisticated threat actors. We believe that people anywhere and everywhere are the new perimeter, and that protecting network access is paramount. Zero Trust is the most effective approach.
What is Zero Trust?
Our ideas about acceptable risk are constantly being tested. Zero Trust forces us to look back and acknowledge that it was not okay to assume that unfettered access was secure.
Instead, Zero Trust assumes the opposite. A policy of Zero Trust means that no person, device or service attempting to access resources can be trusted.
So when a person or system attempts to access data or an IT service, a decision is made based on the identity of the entity and multiple intelligence signals from the cyber environment. Access and data policies are applied to decide the type of access and what operations the subject can perform with the data or IT service.
There are three often-stated principles of Zero Trust, but DXC explicitly adds a fourth:
- Verify explicitly and continuously. Always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification and anomalies.
- Use least privileged access. Limit user access with just-in-time and just-enough access (JIT/JEA), risk-based adaptive polices, and data protection to help secure both data and productivity.
- Assume you have been breached. Minimize blast radius and segment access. Verify end-to-end encryption and use analytics to get visibility, drive threat detection and improve defenses.
- Automate context collection and response. For the most accurate and timely response, behavioral data and context data should be gathered from the complete IT stack — identity, endpoint, workload, network, etc. — and analyzed.
Benefits of Zero Trust Network Access
To better understand Zero Trust, it’s useful to look at the attack process. At a high level, there are three steps attackers take, and countermeasures organizations need to take:
- Gain initial foothold — block threats before they reach you.
- Initiate network propagation — stop the spread of infection.
- Take action on objectives — prevent data loss to the internet.
Network access is integral to a protection strategy. Deploying Zero Trust Network Access (ZTNA) is crucial for comprehensive protection. DXC Technology has partnered with Appgate to provide a managed service that wraps around Appgate SDP, a ZTNA solution from Appgate. DXC’s managed service provides breadth and depth and supports a direct-routed ZTNA architecture rather than a cloud-routed architecture. That way you have full control of how data traverses your network, and universal access control of all users, devices and workloads.
Appgate’s Single Packet Authorization (SPA) and Cloaked Infrastructure ensure constant revalidation and greatly reduce the attack surface.
In addition to the security benefits of ZTNA, there are important operational benefits reported in a study of Appgate SDP by Nemertes. Study participants reported:
- Reduction in time to provision new users — a manufacturer reduced time from 2 days to .25 days
- Reduction in staff time required to provision new developers — a FinServ firm reduced provisioning staff time from 2.5 full-time equivalent to .1 FTE due to automation, enabling staff to be more proactive and to focus on strategic initiatives
- Reduction in trouble tickets — a high-tech firm reduced login and access tickets from 100 per day to one per day
Securing your company’s data and resources is an ongoing effort. DXC’s security experts have deep experience to guide you in protecting your organization. Contact us for a free assessment to define a strategic roadmap for delivering rapid security improvements and improved return on investment; we offer both a high level Zero Trust Maturity Assessment and a deep dive Zero Trust Maturity Assessment.
Zero Trust is not a discrete solution but rather an approach and mindset backed by technology. DXC stands ready to guide you on your Zero Trust journey.
Learn more about DXC Security
About the authors
Miles Davis is a cybersecurity expert with over three decades of experience in the field. He has a wealth of knowledge, having spent many years deep in areas such as Operations, Delivery, Architecture and pre-sales. As an author, Miles brings a unique perspective based on real-world practice and valuable insights to the audience.
Dan Rosner is a seasoned information security professional with years of experience at both Fortune 100 companies and seed-funding stage start-ups. He is experienced at building and leading Information Security and Governance/Risk/Compliance programs, and as a hands-on practitioner in both software development, and network and systems engineering. Connect with him on LinkedIn.