Traditional security models designed on the premise of organizations having a well-defined IT perimeter no longer apply in the perimeter-less world. Passwords based security, which assumed that users operated and accessed business information only form within the enterprise IT perimeter were adequate in the past. But in today's IT environment, where users are accessing information from a variety of untrusted devices, apps, networks, locations, and services - passwords alone are no longer sufficient. It should be no surprise that passwords are still the number 1 cause of data breaches. According to the Verizon Data Breaches Investigations report - 81% of breaches involved weak or stolen passwords. This is because passwords are easily compromised.
In the reality of today's security world how does an organization protect itself? With a zero trust approach and framework to security. Zero trust assumes that bad actors are already in the network and secure access is determined by an 'always verify, never trust' approach. Zero trust approach requires that you verify the device, user, apps, networks, and presence of threats before granting access. In addition, you should have on-going enforcement. But with many theories about zero trust how do you ensure you've taken the right approach.
CIOs and CISOs face three big challenges: