Zero trust security: what it is and why it is important

Did you like our article?

Zero Trust Security: what is it and why is it important?

As integration and migration to the cloud continues to grow, the risks brought by external connections have also increased. In this year’s SAP Insider “Cybersecurity Threats to SAP Systems” survey, respondents were asked to rank the top cybersecurity threats to their SAP systems from highest to lowest. Ransomware (data hijacking) attacks, unpatched systems and credential compromise were assessed as the most important threats to systems, as they were last year. The “risk of connections to other systems” appears in fourth place this year, among the top factors driving cybersecurity strategies. The continued growth of cloud migration, integration, data augmentation, virtualization, mobile device access and the Internet of Things (IoT) have made the security of these connections a critical element of cybersecurity. Vulnerabilities due to unsecured systems and connections can be a direct channel to SAP for ransomware, malware (malicious software) and other attacks.

Gartner, in its Zero Trust Architecture and Solutions report, predicts that by 2023, 60% of organizations will use the Zero Trust security model, instead of VPNs. (Virtual private networks). This is due to the increasing complexity of networks and the huge number of remote employees. In addition, there are already regulatory bodies that require or recommend organizations to implement this model.

In another study, Gartner indicates that Zero Trust access is the security model of the future, which is the fastest growing segment of the network security market and will have replaced VPNs by 2025.

What is Zero Trust security

When companies first implement network security, they create a perimeter within which everyone trusts each other and has shared access to resources. This perimeter security is also known as the Castle and Moat model. When external access to the network is required, a VPN is typically implemented, either between two sites (site to site) or between a client and the network.

The Zero Trust concept, on the other hand, is based on a distrust of everyone and everything, whether inside or outside the network perimeter.

With Zero Trust access, a specific user or device can only connect to a particular service. For example, to a ssh service of a specific server, on a specific port; or to an SAP system, with an https protocol, on a defined port, etc. This requires an application at both ends on the client device and on the network to be protected. These are responsible for micro-segmenting the traffic according to the defined security rules, for each user or device, and for each service or application to be exposed or published to the outside.

Why it is important

Zero Trust security is the security model of the future, for user and device access to networks, servers, services, and applications, because of the following:

• It allows security policies to be implemented at a very fine granularity, particularly for SAP access.
• Security policies are verified continuously, at each access attempt.
• The Zero Trust model simplifies the administration of network, device, user and application security, allowing for better governance, fewer errors and fewer security breaches.

In the case of SAP systems, it is a security model especially suitable for the following cases:

• Especially critical SAP systems, such as banks or other financial institutions, government, or defense.
• Connecting remote users to SAP, especially users connecting from different public sites.
• Connecting external users to SAP, users from customers, suppliers, partners, etc.
• Publishing SAP services on the Internet.

What is required

Implementing Zero Trust security requires very specific tools and services, as well as the necessary expertise for initial configuration and ongoing maintenance.

Novis has implemented and operated Zero Trust solutions for many years. As a result, today it can offer a Zero Trust solution for its clients’ SAP systems as a service, including licensing, infrastructure, project implementation and ongoing operation. In this way, the client can quickly incorporate this advanced security, both for their SAP and non-SAP systems, and keep it in operation as an advanced option of their Novis SAP IT service.

In subsequent installments we will show other advanced security options for SAP systems.

For more information on this and our other services we invite you to contact us.

Feedback/discussion with the author: Glen Canessa.