Achieving Zero Trust: ManageEngine's path to upgrading cybersecurity
Data loss prevention
Mobile device manager
User and entity behavior analytics
Zero Trust architecture
Zero Trust network access
Zero Trust application access
Zero Trust data access
Even knock-knock jokes have verification! How about you? Would you welcome a stranger into your home without verification? You would probably look through the peephole. You would open the door and ask them who they are, based on which you would decide how much access they can have. A delivery agent stops at your porch. A plumber can enter your kitchen to fix the sink. A house sitter can enter all the rooms, but you would keep the closet with your valuables locked. Similarly, organizations have multiple layers of security covering everything from entering the network to accessing files. All of this is facilitated by the guiding principles we refer to as Zero Trust.
Who is this e-book for?
Zero Trust may seem intimidating without the right guidance. If your organization is stepping into this ocean now, this e-book is for you. We will start with ManageEngine's ongoing experiences and work our way to mapping out what you can do as an IT leader for your organization.
(Zero Trust) addresses the agile needs of modern organizations and eventually it will become the way any security framework is (built).
From a business option to a business imperative, every one of us is on a Zero Trust journey-whether we know it or not.
In this e-book, we will elaborate on:
- Zero Trust: what it is and what it is not.
- A framework you can implement without tearing your existing system apart.
- ManageEngine's Zero Trust plan.
- Real-life use cases.
- Challenges and best practices.
Self-assessment to get started
What is Zero Trust?
Zero Trust is more than just a buzzword. It is the next step in cybersecurity. In the last decade, there has been an uptick in the number of security incidents organizations face due to internal and external threats. In ManageEngine's 2021 Digital Readiness Survey, we deduced that phishing, network endpoint attacks, and malware were the most prominent security threats, yet only 26% of organizations have opted for Zero Trust network implementation. Zero Trust is no longer an option. It is an imperative. At ManageEngine, we have started implementing Zero Trust in our network to give ourselves an extra shield against these preventable attacks.
Zero Trust stands on three principles:
Debunking the myths
Myth #1: Zero Trust is a product
Fact: Zero Trust is not a single solution that you can purchase. On the contrary, it is a framework or set of principles to guide organizations to make better security choices and protect themselves from breaches. However, vendors can offer multiple tools, like user authentication, that can be integrated to support Zero Trust in a network.
Myth #2: A good strategy needs to start from scratch
Fact: Google's BeyondCorp had to take apart and rebuild its entire network architecture to incorporate Zero Trust, but you do not have to do this. Enhance your existing network with a step-by-step approach. You can use a password manager tool, real-time auditing and monitoring, and multi-factor authentication (MFA) as a first step.
Myth #3: It really means "never trust (your employees), always verify"
Fact: Security is not personal. Trusting that everyone inside your organization has good intentions is a vulnerability. Attackers can be within or without an organization, and your job as an IT leader is to always keep information secure. However, this does not mean employees must always be treated like threats. User and entity behavior analytics (UEBA) can be used to assign trust scores based on several parameters and to grant users personalized access.
Myth #4: Zero Trust is for large enterprises
Fact: You do not need to burn a hole in your pocket or run a multinational corporation to introduce Zero Trust. BeyondCorp created a misconception that Zero Trust is expensive and time-consuming. That is only because it had to create something that did not exist before. SMBs, on the other hand, can now get started on their Zero Trust journeys with the simple tools that are available. In fact, you will save money on operational costs in the long run. Let us not forget that cyberattacks are not selective—they can happen to anyone. It makes more sense to spend a bit to protect your data than to pay hefty fines for non-compliance and damage control.
Myth #5: It only works on-premises
Fact: Over the last few years, we have seen tremendous growth in organizations adopting cloud-based solutions and moving to cloud or hybrid environments. Likewise, Zero Trust implemented on-site can be extended to cloud solutions with cloud-based security approaches.
Myth #6: The user experience and productivity will suffer
Fact: It might seem like a hassle to limit access and verify identities with each session, but with the right tools, workflows, and policies, it is possible to provide a user-friendly experience. Studying user behavior allows us to eliminate authentication requests for low-risk profiles and lessen wait times consistently. Additionally, Zero Trust increases productivity on the admin side. Once an employee leaves the organization, it automatically ensures they do not have access to any resources. There is no room for manual error. The admin team can focus on other critical tasks instead.
Assessing ManageEngine's security model
The traditional castle-and-moat model works under the assumption that everyone within a network is trusted. It weeds out external threats and vulnerabilities but does not account for the internal users or devices. That was the standard strategy for almost 20 years. Now, this is outdated.
The perimeter-based security model worked when ManageEngine had employees working in the office every day. Access to information was granted through the corporate Wi-Fi only. Pre-pandemic, working from home was not mainstream yet. Apart from development teams and some remote employees, ManageEngine did not have a heavy requirement for the VPN. When the pandemic hit, everyone shifted to remote work. Simultaneously, we were hiring new employees for multiple teams.
At this point, ManageEngine faced five main challenges:
It became evident to the Admin team that it would have to step up its security to keep business moving as usual. Our Security team got to work—it was time to find a stronger alternative to the VPN.
Why did we decide to begin our Zero Trust journey now?
- The pandemic forced a temporary shift to remote work but influenced an irreversible change in work culture. At the time of writing this e-book, Zoho is over 12,000 employees strong and easing its way into a hybrid model. Balancing in-office and remote teams requires a sophisticated security framework.
- A successful enterprise is always the biggest target for cyberattacks. It is inevitable. It is at risk for ever-evolving external threats, insider attacks, vulnerabilities, and more. Over the last few years, we have noticed an increase in potential threats. Thus, ManageEngine decided to get started with Zero Trust.
- Zero Trust is not infallible. There is still room for attacks, but Zero Trust is an additional form of protection in which every organization must invest.