But times have changed. In the current era, three forces have combined to render the perimeter protection approach outdated: the advent of cloud computing, the ubiquity of mobility and the rise of telecommuting. All these have chipped away at the idea of a sealed perimeter.
Think about it: Where should an organization draw its perimeter today? Sure, the systems located in the business’s office building would live inside the perimeter, but what about the vice president of sales who’s almost never in the office? What about the cloud-based enterprise resource planning solution that contains some of the organization’s most sensitive data? How about the smartphones used by the field engineering team?
The other major disadvantage created by VPNs is that they actually offer users too much access. The idea of having “trusted” and “untrusted” network zones paints every user and device with a broad brush. It’s either dangerous or safe, a completely trusted friend or a dangerous enemy. When any remote user connects to the VPN, they’re almost certainly granted far more access than they actually need. Thus, we’re brought to the fundamental flaw of relying upon VPNs to create zones of trust.
MORE FROM BIZTECH: Learn the facts from the myths surrounding zero trust security.
Zero Trust Is a Stronger Defense
The zero-trust model is the alternative to the network perimeter approach. Instead of placing all-or-nothing trust in devices based upon their network location, the zero-trust model begins with the assumption that nothing is trusted based solely upon its IP address and every action requires authorization. Zero trust increases our ability to create highly granular access control mechanisms that tailor the access granted to each user and device based upon role and business requirements.
This isn’t a new idea. Indeed, anyone who has ever studied cybersecurity knows about the least-privilege principle, which states users should be granted only the smallest set of permissions necessary to carry out their work. Similarly, the default-deny principle states that every action that is not explicitly allowed should be prohibited.
While security professionals have long embraced these ideals, the reality is that businesses’ access control systems have made it almost impossible to implement them. The zero-trust paradigm allows these principles to at last be put into action.