.jpg)
By André Facciolli, CEO of Netbr
From the moment that the cloud operation ceased to be an IT chapter and we started to operate - either spontaneously or under the circumstances - in the new "cloud first" model, the old perimeter-based security concept also leaves to make sense.
If until some time ago we were still struggling with the strengthening of the firewall, VPNs and other typical infrastructure barriers, the consistent advance of the cloud has proven that there is no longer any way to separate an "inside and an outside" from the corporate network. The phenomenon of "shadow it", previously considered an organizational problem, quickly became a structural reality and tended to total uncontrolled.
This is not only due to the hybrid character of the infrastructure, say "official" or assumed, in which the use of SaaS, PaaS, IaaS etc. is part of a conscious and planned decision by the managers. It is true that, by themselves, these new IT practices already contribute enormously to the abstraction of the infrastructure, but the increase in the shadow zone is accelerating every day due to the new patterns of the user's relationship with the network, and now understanding the user is no longer an internal agent associated with an office, a machine and a domain.
We are in the era of BYOD, of the participatory user (some of them, even with an almost associated developer status) and the inclusion of customers, partners and suppliers in the access ecosystem. There are countless users in transit, others in home office situations, others in temporary access situations (outsourced workers, for example) and a large mass of external agents who access the company's network due to the headquarters created by the integrated business chain.
It is against this background, much more complex than that of the old perimeter network, that a model of security architecture has emerged in the market focused no longer on the "entity" (internal or external to the network), but on the identity of the user, who can be an employee, network equipment, a bot or even software for intermediation or synchronization between business applications.
In the view of this new model, the security frontier ceases to be the perimeter and becomes the user (or rather, his identity), and in an even more radical view, the security policy ceases to be something about fixed identities and becomes to look at the access.
In a nutshell, access-oriented security is one in which every attempt to address any element of the network is seen as a security event and must therefore be subordinate to the dictates of security policy.
Zero Trust networks and the issue of productivity
Perimeter-based security comes from the time when it was possible to clearly delimit the physical and logical (virtual) boundaries of the infrastructure and was premised on the existence of a "trusted" portion of the network.
As it was being pressured by the growth of shadow It, this concept started to adopt technically reasonable authentication measures, such as more complex passwords, biometric verification, tokenization (with proprietary devices or via the user's cell phone), firewalls increasingly shielded, next generation UTM exchanges, etc.
The problem is that all this paraphernalia, however well intentioned (and almost always correct), started to show its flaws when the mass of employees started to need the cloud as a condition of productivity. Prohibiting a collaborator from accessing a travel application, a messaging app or collaborative software comes up against the practical issue of losing productivity.
In addition, if the system requires biometric confirmation or the generation of a temporary random password from the user for each need of access, there is also the risk of causing undesirable slowness and damaging the business.
How to overcome this difficult dilemma?
One of the most consistent responses - and so far the most accepted among global consultants - is through the "Zero Trust" network paradigm, created by Forrester scientists around 2009 and which started to gain market share two years ago.
As we have already shown above, the main premise of the model is that the perimeter is no longer the network or the device, but the user (the physical or logical identity, which is not in an exact place, but anywhere in the cloud). Another important commandment is that the internal user (and, therefore, accredited) offers no less danger than the external user and, therefore, there is no zone of trust.
Far from criminalizing employees, what Zero Trust proposes is that any and all access, any and all approaches to data, applications and resources should be seen as a security event.
For this to become feasible, it is necessary to intensively apply authentication by multiple factors, as had already been tried even in historical architecture (by perimeter), but understanding access - itself, and not just identity - as a parameterizable entity , measurable, recognizable and clearly described with its standards for a holistic surveillance and permission system.
According to this approach, an access to a network data is composed of a great dimensional diversity. Who is the supposed user, what are his different credentials and authentications, what device is he accessing, from what geographic location, at what time, at what other applications he acted before requesting current access, what is the risk involved in this action , what is the level of value of the data in question, to what extent is this requisition related or not to your activity?
It does not matter if the requested access is to a Word application or to an engineering or financial software, but the distrust (the care) is the same, whether the user is an employee sitting in the head office or a remote outsourced.
For this Zero Trust approach to become viable, the security architecture relies largely on artificial intelligence applied to IAM (identity and access management) technologies. New methodologies for analyzing access by context manage to automate the simultaneous assessment of all those dimensions of access that were listed above.
An example of this is adaptive authentication by multiple factors. After verifying all parameters related to access, the permission intelligence associated with IAM can decide whether user A needs token or biometrics authentication to access data N, or whether the simple analysis of elements in context is enough to release your ticket.
Without the ambition to give a deep view of the problem, it is possible to affirm with conviction that the Zero Trust architecture, by spreading distrust to all elements of the network and focusing on the security policy in each individual access, will remove from the user prerogatives such as holding a memorable password, or reducing the existence of the so-called privileged access user to a very low population in companies.
If until some time ago we were still struggling with the strengthening of the firewall, VPNs and other typical infrastructure barriers, the consistent advance of the cloud has proven that there is no longer any way to separate an "inside and an outside" from the corporate network. The phenomenon of "shadow it", previously considered an organizational problem, quickly became a structural reality and tended to total uncontrolled.
This is not only due to the hybrid character of the infrastructure, say "official" or assumed, in which the use of SaaS, PaaS, IaaS etc. is part of a conscious and planned decision by the managers. It is true that, by themselves, these new IT practices already contribute enormously to the abstraction of the infrastructure, but the increase in the shadow zone is accelerating every day due to the new patterns of the user's relationship with the network, and now understanding the user is no longer an internal agent associated with an office, a machine and a domain.
We are in the era of BYOD, of the participatory user (some of them, even with an almost associated developer status) and the inclusion of customers, partners and suppliers in the access ecosystem. There are countless users in transit, others in home office situations, others in temporary access situations (outsourced workers, for example) and a large mass of external agents who access the company's network due to the headquarters created by the integrated business chain.
It is against this background, much more complex than that of the old perimeter network, that a model of security architecture has emerged in the market focused no longer on the "entity" (internal or external to the network), but on the identity of the user, who can be an employee, network equipment, a bot or even software for intermediation or synchronization between business applications.
In the view of this new model, the security frontier ceases to be the perimeter and becomes the user (or rather, his identity), and in an even more radical view, the security policy ceases to be something about fixed identities and becomes to look at the access.
In a nutshell, access-oriented security is one in which every attempt to address any element of the network is seen as a security event and must therefore be subordinate to the dictates of security policy.
Zero Trust networks and the issue of productivity
Perimeter-based security comes from the time when it was possible to clearly delimit the physical and logical (virtual) boundaries of the infrastructure and was premised on the existence of a "trusted" portion of the network.
As it was being pressured by the growth of shadow It, this concept started to adopt technically reasonable authentication measures, such as more complex passwords, biometric verification, tokenization (with proprietary devices or via the user's cell phone), firewalls increasingly shielded, next generation UTM exchanges, etc.
The problem is that all this paraphernalia, however well intentioned (and almost always correct), started to show its flaws when the mass of employees started to need the cloud as a condition of productivity. Prohibiting a collaborator from accessing a travel application, a messaging app or collaborative software comes up against the practical issue of losing productivity.
In addition, if the system requires biometric confirmation or the generation of a temporary random password from the user for each need of access, there is also the risk of causing undesirable slowness and damaging the business.
How to overcome this difficult dilemma?
One of the most consistent responses - and so far the most accepted among global consultants - is through the "Zero Trust" network paradigm, created by Forrester scientists around 2009 and which started to gain market share two years ago.
As we have already shown above, the main premise of the model is that the perimeter is no longer the network or the device, but the user (the physical or logical identity, which is not in an exact place, but anywhere in the cloud). Another important commandment is that the internal user (and, therefore, accredited) offers no less danger than the external user and, therefore, there is no zone of trust.
Far from criminalizing employees, what Zero Trust proposes is that any and all access, any and all approaches to data, applications and resources should be seen as a security event.
For this to become feasible, it is necessary to intensively apply authentication by multiple factors, as had already been tried even in historical architecture (by perimeter), but understanding access - itself, and not just identity - as a parameterizable entity , measurable, recognizable and clearly described with its standards for a holistic surveillance and permission system.
According to this approach, an access to a network data is composed of a great dimensional diversity. Who is the supposed user, what are his different credentials and authentications, what device is he accessing, from what geographic location, at what time, at what other applications he acted before requesting current access, what is the risk involved in this action , what is the level of value of the data in question, to what extent is this requisition related or not to your activity?
It does not matter if the requested access is to a Word application or to an engineering or financial software, but the distrust (the care) is the same, whether the user is an employee sitting in the head office or a remote outsourced.
For this Zero Trust approach to become viable, the security architecture relies largely on artificial intelligence applied to IAM (identity and access management) technologies. New methodologies for analyzing access by context manage to automate the simultaneous assessment of all those dimensions of access that were listed above.
An example of this is adaptive authentication by multiple factors. After verifying all parameters related to access, the permission intelligence associated with IAM can decide whether user A needs token or biometrics authentication to access data N, or whether the simple analysis of elements in context is enough to release your ticket.
Without the ambition to give a deep view of the problem, it is possible to affirm with conviction that the Zero Trust architecture, by spreading distrust to all elements of the network and focusing on the security policy in each individual access, will remove from the user prerogatives such as holding a memorable password, or reducing the existence of the so-called privileged access user to a very low population in companies.
Disclaimer: The opinion presented in this article is the responsibility of its author and not of ABES - Brazilian Association of Software Companies
EN 
PT 
