The cyber threat situation is more serious than ever for German companies. In the current survey “Cyber Security 2022”, 77% of the companies surveyed state that the number of cyber incidents in 2022 has increased compared to the previous year. According to the digital association Bitkom, the German economy suffers annual damage of 203 billion euros due to cyber crime. In its report on the state of IT security in Germany, the German Federal Office for Information Security (BSI) points out that the number of malware increased by 116.6 million between June 2021 and May 2022 alone.
Hybrid IT environments in particular, such as those found in most companies, represent an attractive target for cyber criminals if they aim to steal or encrypt confidential data. The changing world of work is also playing its part in increasing the risks to businesses in terms of cyber-attacks. Just a few decades ago, IT applications and data were accessed exclusively from a fixed location within the corporate network. To the outside, the network could be effectively protected by firewalls. Within the network, only employees had access. Today, however, remote work is the order of the day – whether from the home office or on the road via mobile devices. Employees access company resources and networks from virtually anywhere. Data is no longer stored locally, but predominantly in the cloud.
So while the world of work has changed radically in recent years, security concepts are lagging behind these changes. The security concept that was common in the past was based on employees logging on to the system with their credentials and password, thus gaining access to almost all resources. In today’s world, such a concept can no longer reliably ensure that attackers are denied access to corporate data and applications. Especially since the human factor still represents the biggest gateway, because people often fall for the now extremely sophisticated social engineering and phishing methods and reveal their login data.
Consequently, new security concepts are needed that take account of the changed realities in terms of cyber threats. Zero Trust is based on the principle of not trusting any device, user or service, or application inside or outside one’s network. This means that all access to systems and applications is verified. In the Zero Trust approach, trust is regarded as a dynamic variable and must never be granted implicitly. Rather, various protection mechanisms and real-time analyses are constantly running to determine the legitimacy of the request over and over again.
All entities must be explicitly validated, authenticated, and authorized. If such validation does not take place, access is denied. Similarly, access must never be granted beyond the established level of trust. There is continuous monitoring and re-evaluation of whether trust is granted. In addition, Zero Trust also includes the principle of minimal permissions. Employees are only granted access to the applications and data they actually need to complete their tasks. Other important elements are role-based assignment of rights and the prohibition of local admin rights for users.
Identity & Access Management (IAM) makes a decisive contribution to the implementation of the Zero Trust concept. It forms a central control layer with access rules for all applications and thus controls access to resources. In the context of Zero Trust, dynamic and continuous authentication is elementary in order to determine whether users are actually who they claim to be. With the help of automated processes, Identity & Access Management creates a compromise between maximum security and effective, convenient working. The technical pillars of IAM that help make Zero Trust a reality are role management, user lifecycle management and access management.
One thing in advance: Zero Trust cannot be implemented overnight. Rather, it must be implemented step by step over a longer period of time. An important prerequisite for the success of Zero Trust is a changed understanding of security on the part of the decision-makers in the company and a realignment of the security concept.
As far as concrete implementation is concerned, it is recommended to first obtain an overview of who currently has access to what and who actually needs which authorizations. In addition, companies are required to prioritize the components of their portfolio according to their susceptibility to failure – with the aim of reducing the risk to a maximum, especially in sensitive areas. The effectiveness of Zero Trust stands or falls on establishing an effective process for authenticating, authorizing and continuously validating users.
Zero Trust concepts do not assume trust within a network, but define trust as a dynamic variable that requires continuous validation. Permissions are granted according to the basic principle of minimal rights assignment based on contextual data, and are consistently verified against predefined corporate policies. Granular, context-based policies ensure data is protected as access permissions are continuously re-evaluated as contextual conditions change (identity, device, location, content type, requested application, etc.). By terminating each connection again, effective defense against ransomware, malware and other threats is ensured.
Eliminating the attack surface also reduces risks. Users connect directly to the applications and resources they need without having access to the corporate network. This direct connection minimizes the risk of lateral spread of a threat and prevents compromised devices from infecting other resources.