The problem with zero trust security deployment is pretty common in enterprises and large organizations. It results from big organizations’ inertia in adapting market trends and standards. In addition, it is associated with the so-called vendor lock-in in the context of already installed solutions, i.e. a situation in which the customer is dependent on the solution provider to such an extent that it is not possible to change the vendor without incurring large costs caused by the change.
Zero Trust Security
Many years ago, critical systems that required protection against external attacks were secured in the so-called moat that clearly divided the outside world from the world inside the organizations’ secure network.
It was undiscussed for many years new factors appeared and completely refuted the validity of this assumption. These factors were:
- private electronic devices used by employees in the office
- company devices carried out by employees outside the organization
- the use of systems/applications in the SaaS model (so located physically outside of the organization)
- and finally, remote work, which since April 2020 has become an unplanned new reality.
Due to these factors, cybersecurity strategies in large organizations with heterogeneous IT environments had to abandon the moat model and move towards “zero trust“.
The main change that came with the new model was the transfer of cybersecurity from the periphery of the organization to a more granular level, which is the user himself and the interfaces he uses.
Additionally, statistics show that in over 80% of cases of breaking into an organization’s infrastructure, identity theft plays a huge role. It is therefore a critical attack vector.
The key to effectively protecting your organization’s data and resources is making sure you know exactly who is on the other side of the screen. Without this certainty, nothing can ever be secure.
There are many solutions on the market that address this problem. Strong authentication methods, i.e. (2FA or MFA), or futuristic sounding passwordless, where the user will not need to use a troublesome password, but only a factor that will easily authenticate him or her.
This direction is closely related to the new open standard of web authentication, widely used on the Internet, known as FIDO2 or Webauthn. Already today, this standard is supported in commonly used web browsers.
It is clear where the problem lies in large organizations’ cybersecurity and what is the solution. Unfortunately, the last difficulty standing in the way is the difficulty of implementing that solution.
Technology adoption is actually the biggest challenge, especially for enterprises like financial institutions that have been building their technology stack for years. These types of organizations own applications from various vendors, often written by their own programming teams, in various possible technologies.
This is where a solution like User Access Security Broker comes into play.
Security broker is a modern approach to the implementation of the zero trust methodology along with the forward-looking passwordless methods.
This solution builds a layer between the users and the applications used by the users. It is in this layer that everything related to the safe access of users to the application takes place, regardless of where they log in from.
Another advantage is the fact that the broker does not require any database or application integration and can be used regardless of the technology in which the protected application was written.
So the generalized formula for CISO success looks like this:
zero trust (passwordless) + user access security broker