What You Need to Know About Zero Trust
Cybersecurity as a field used to take the approach that data was a castle we protected with a moat, a fiery algorithmic dragon, and maybe some shining armor. The data was all there, unseparated like a pile of golden spoils within those stone walls. But what happened when an intruder breached those walls? Everything was there for the taking.
Fast forward a few decades and cybersecurity professionals have created new approaches that break down access, building new internal walls, lots of tunnels, and checkpoints that require users to prove their identity which determines what access level they get.
This is known as “Zero Trust”.
While it might sound counterintuitive, this new approach to cybersecurity (and big time buzzword) actually makes a lot of sense. Rather than granting access at the big shiny gate with a single checkpoint, a Zero Trust approach asks us to assume no one is trustworthy to enter spaces, crawl through tunnels, or breach walls until they have continuously proven their identity for each associated level of access.
It’s an approach Salesforce is actively applying to maintain trust as our number one value. But what does this mean for Salesforce customers? I spoke with Saša Zdjelar, Senior Vice President of Security Assurance at Salesforce, to find out how Zero Trust impacts you, your customers, and Salesforce.
Bailey: So, Saša, let’s backtrack a bit. Where did “Zero Trust” come from?
Saša Zdjelar: Sure, that’s the best place to start! To understand the future, it is helpful to understand the past. To use the castle and moat analogy, the cybersecurity field approached data from a perimeter breach mindset. Once inside, someone had access to everything. This approach worked because back in the day we were operating with physical locations, on-prem servers, and single networks. It made sense to focus on setting up and securing a simple perimeter.
But as companies like Salesforce and other SaaS (software as a service) providers came around, people began moving data between providers, and we evolved to more remote and mobile work, the once singular perimeter became incredibly blurry. Before you know it, by the time you’ve adopted products like G-Suite, the Salesforce CRM, and other business solutions, the perimeter has completely disappeared. There is no longer a single castle with all of the data inside. Instead, you have lots of small villages of data that are spread about, and they’re no longer inside your castle with big walls.
As these new, global technologies developed, so too did more sophisticated cybersecurity threats, resulting in advanced nation-state breaches, malware, and ransomware events. What we learned over the years is how these actors often exploited the inherent weaknesses of our castle-moat designs. This is where Zero Trust enters the scene; we realized that breaches should not compromise and grant access to everything, so we broke things into tunnels specific to proven identity, device permissions, multi-factor authentication, and more. Zero Trust asks us to not trust anyone until they have proven themselves trustworthy, and as a result, it makes us all safer.
Bailey: Absolutely, that analogy is so helpful! Can we dig more deeply into how Zero Trust works in an organization like Salesforce, where, at face value, it seems contradictory to our number one value of trust?
Saša: These are important questions, and the term “Zero Trust” can be very confusing because it does not tell you much. When you’re an organization like Salesforce and your number one value is trust, to then tell your customers that you have zero trust might seem problematic.
What the term actually means is there is zero implied trust in connections; you do not get trust by default just because you can connect, you need to earn trust for every resource you access. And you do so through identity authentication, device posture attestation, and other things. Once we decide that we can trust you and we revalidate that trust for every request you make, we then have to decide what you have access to. We can broker access to a specific tunnel to specific information within a specific application, and it can be as specific as a particular port or service.
Bailey: Ah, so it actually helps us fulfill our number one value!
Saša: Absolutely. On the Salesforce corporation side, Zero Trust helps us become better protected against advanced persistent threats, nation-state actors, or other attacks, so that we are all more resilient. And as a product to customers, you should have comfort knowing that data is better protected. The benefits that Zero Trust brings to our organization are the same benefits it brings to our customers.
Beyond this, we are looking at strategies for bringing concepts of Zero Trust to how our customers access their own data. If employees of your organization access your data, how can Zero Trust help ensure that only verified employees of the organization, with authorization, and the correct devices and location, are allowed to have access to that data?
Once you tell us what “good” looks like for your organization, in terms of identification, devices, and locations that you expect to see, we can help set up what we call “front door access;” determining whether we allow access to your own data. This can help with rogue employees, risks or compromises in your own environment, and prevention of access to any data stored with Salesforce.
Bailey: That makes a lot of sense. It is so helpful to know how cybersecurity professionals and organizations like Salesforce are taking steps toward Zero Trust and why. I know this term has become something of a buzzword today, but it’s been around for about a decade now, so can you share more about what heightened or increased the urgency in the shift towards Zero Trust?
Saša: If you look at any technological timeline, there are usually moments that catalyze shifts and drive change. For Zero Trust, despite being coined in 2010 by John Kindervag, COVID-19 was a really big moment that has been driving the shift. Before COVID-19, the network security sector along with a very small percentage of the most cutting-edge cloud-native companies were looking at practices of Zero Trust.
When COVID-19 happened, entire workforces across industries and around the globe were sent home. What many people may not realize is that when operating in company VPN mode, the entire network of the organization has been extended to those places. Not surprisingly, a lot of risk comes with this. Imagine having hundreds of thousands of employees all around the world extending the company’s networks in each of their locations or coffee shops? That opens organizations up to so many vulnerabilities.
With Zero Trust, when you have been scrutinized as an authorized user of an application or service, the technology then brokers a very specific microtunnel for that specific asset rather than extending the entire castle to you. In doing so, the data is far more protected.
Bailey: This is great to know, especially because so much about the ways we work and engage online has shifted since COVID-19. I’m curious about where we might see Zero Trust in the everyday. What are some ways we encounter Zero Trust approaches or practices more regularly?
Saša: So, we actually do see a lot of Zero Trust practices in consumer aspects of everyday life. For example, when you log into your banking app or website, they may have you sign in and then enter a code that they email or text you to complete your log-in. When devices are not recognized, consumer acceptable device posturing will ask for you to give more confirmation that this is your device, answering extra questions, asking if you would like to add this device as a “trusted device.” Salesforce requires multi-factor authentication (MFA) for all employees and customers to increase protection against phishing attacks, credential stuffing, and account takeovers through additional factors of security checks. Even in the event of someone stealing a username and password, the added layers of security checks will still prevent critical data access. This is an important practice of Zero Trust for us, and many others are embracing it too.
Schools, hospitals, banks, government entities, and even retailers, are starting to implement more of their own Zero Trust practices to ensure consumer and citizen safety. A good public service announcement or disclaimer for folks is that if you cannot remember your password and they email you with your password in the email, it means they know your password and they can see it in the clear. That’s a big no-no. Passwords should always be stored encrypted.
As you consider how to best protect your data and the data of your customers, Salesforce can help. Learn more about the products and solutions we’ve designed with security in mind to help your organization maintain trust and protect your customers. And explore our free Cybersecurity Learning Hub (an initiative in partnership with the World Economic Forum Centre for Cybersecurity) to skill up on all the latest security knowledge. After all, ensuring that we maintain trust is everyone’s responsibility!