Making predictions in the information security space is always an interesting yet challenging task. The very nature of cybersecurity, with the velocity of vulnerabilities and new threat actor coalitions along with the shifting regulatory environment, requires organisations to stay vigilant and informed.
Although we are at a point where new technologies such as AI and ML are grabbing a lot of the attention, a major change for 2019 onwards is focused on the bigger picture issue of trust.
Although the concept of Zero Trust and its becoming the de-facto model for security controls has gained acceptance, the next 24 months will see it accelerate into architectural best practices.
Zero Trust moves away from the traditional perimeter-based architecture that assumed that anybody inside or getting remote access to the internal corporate network was trusted. With the rise of hybrid IT and the dynamic nature of provisioning apps, resources and users, the risks of unauthorized and insecure access exponentially increases. As such, the conventional perimeter defence is more limiting in terms of ensuring adequate visibility, consistent policy, and protected access. Getting a perimeter approach wrong can cause frustration for users, increase shadow IT, and leave potential gaps in defences that attackers can exploit.
Zero Trust works on the principle of “never trust, always verify.” With this method, organizations can dynamically establish secure connectivity and compliant access between the users, devices and the targeted resource and applications using a least-privileged security strategy. In this approach, access is granted based on satisfying pre- and post-connect policy associated with user and device authentication and security state verification. By adding micro-segmentation one can further limit unauthorized means to discover and exploit resources.
Zero Trust can be applied to perimeter-based access security architectures, and is at the core of the emerging architecture of software-defined perimeter (SDP). SDP solutions assume no trust and require different users, devices, applications or classes of information to be associated with a spectrum of trust levels that is established, by policy, in order to grant access with higher granularity and greater efficiency. With SDP, all entities and their security states are continuously verified by a controller within the control plane, and based on policy, communicates with entities to dynamically establish secure connections directly between source and destination through a data plane.
Through SDP, the perimeter becomes essentially elastic from users and devices to requested applications and resources no matter where they reside. That being said, given the massive existing investment in perimeter defences and the ongoing migration of applications to the cloud will require secure access architecture accounting for both conventional firewalls and VPN defences, as well as SDP.
With moves towards Hybrid IT adoption showing no signs of slowing down, 2019 will be the year when Zero Trust and Software Defined Perimeter take shape!