When People Are the Perimeter, We Need a Zero Trust Approach to Security

Data is the new oil—an observation not lost on hackers. In a world of growing interconnectivity, our most valuable digital assets—including our digital identities–have never been so exposed. After all, attackers of the digital age now simply log in, using stolen credentials to gain access to protected documents and privileged information. Relying on usernames and passwords alone to protect your systems is a risk that plays right into the hands of hackers, as there’s no silver bullet to ensure these credentials can’t be compromised by someone outside (or even inside) your organization.

Simply put, in today’s mobile- and cloud-first world, the security practices of the past are quickly becoming outdated. Thanks to the rise of cloud services and remote working, the network perimeter as we know it has been shattered. What matters now is how people access their resources, and how organizations respond to network traffic and access requests, no matter where in the world they come from. Organizations moving to the cloud need a new security paradigm to protect themselves—and that paradigm is Zero Trust.

We need a new way of thinking

For those who don’t know, Zero Trust is a security model that was first developed by John Kindervag in 2009 at Forrester Research. Zero Trust recognizes that the landscape has changed, and that all network traffic is potentially vulnerable. As such, we shouldn’t assume trust based on the network connections are originating from.

The framework asserts three best practices of security:

• Access all resources securely

• Strictly enforce access control regardless of access origin

• Inspect and log all traffic

As the modern enterprise and its security challenges have evolved, so has Zero Trust. The Zero Trust Extended Ecosystem (ZTX) builds on the original model, offering a security framework developed for a cloud- and mobile-first world:

• Encrypt data in transit and at rest, and protect it with classification schemes

• People, workloads, and devices are just as untrustworthy as network traffic

• Automate and orchestrate more processes for efficiency

Similar security models exist, too—Gartner’s CARTA, for one, stands out as particularly well-aligned with our vision of what makes a secure cloud landscape. Nowadays, when 81% of data breaches occur because of stolen credentials, and one of every hundred emails are phishing attempts, the risks are too great to not enforce access controls, make sure everyone accesses their resources securely, and inspect and log all network traffic.

We’ve been tackling the Zero Trust framework for some time at Okta with our approach to identity-driven security, and we’re always expanding our identity solutions to fit the realities of the modern workplace. That’s why we recently acquired ScaleFT—an access management platform that provides secure, remote access without the need for a VPN. With ScaleFT, employees working remotely log in to their work systems using client certificates that are aware of the login context (including information on the endpoint device) and expire after each use. Being able to authenticate user identities at this level—leaving no room for doubt or compromise—is what it takes to stay secure in the cloud, and it’s exactly what we mean when we say that our identity solutions allow you to execute Zero Trust. ScaleFT is just one piece of our vision for Zero Trust, which is made up of our existing suite of solutions and partnerships to provide best-in-class security.

Take our partnership with Yubico, for example. Yubico makes YubiKey physical tokens that securely authenticate users with leading standards such as Universal 2nd Factor (U2F). Together, we’ve combined these tokens with our Adaptive Multi-factor Authentication (Adaptive MFA) solution to give companies a choice of authentication factors, allowing them to pick the ones that best suit their business—be it U2F, Okta Verify, or other options. This has made working life easier and more secure for multiple organizations—Verifone, for instance, layers YubiKey to provide maximum assurance and peace of mind in their security posture, especially when it comes to the most privileged users within their organization. It goes to show that you can leverage Okta’s open platform philosophy to implement Zero Trust regardless of your vendor preferences or existing security investments.

If you’re making a move to the cloud—or already there—employing a Zero Trust mindset is the way to stay protected. Identity is the platform for Zero Trust—and we’ll continue our laser-sharp focus on identity-driven security to partner with you and protect your most valuable assets.