On Zero Trust: Modern Cybersecurity’s Most Misused Phrase
In my 20+ years working in cybersecurity, I’ve only seen a few terms garner the level of attention and hype that “Zero Trust” has in the last few years. This has, unfortunately, been somewhat to its detriment. With muddied marketing language now flooding the discourse, zero trust has become the most overused, misused, and abused phrase in cybersecurity, which is disappointing considering the genuine utility and benefit zero trust has to offer so many modern organizations. I recently was invited to discuss this topic to clarify my position in a webinar, Zero Trust: The Most Overused, Misused & Abused Cybersecurity Phrase Today. I’ve summarized the webinar’s salient points in the article that follows. Or, better yet, click the banner below to view the entire discussion.
What Is Zero Trust Security?
To put it in proper perspective, zero trust creates what I call absolute least-privilege access for users, devices, data, and applications - enforcing strict verification protocols to thwart bad actors from accessing anything and anyone on the network using compromised or falsified credentials. When explaining the concept, I’ve found it best to define zero trust’s three fundamental questions to verify users: Who? What? Where? Who will be getting access (and from where), and what do they want to access? A holistic zero trust networking framework considers every data point available to answer these questions, from the user's purported identity to their location, device, and behavior.
Studies show that organizations are broadly embracing zero trust now more than ever. With 81% of companies transitioning to a hybrid work environment, traditional security techniques are no longer sufficient for protecting a company’s data. The percentage of phishing emails has increased since the pandemic began, and compromised user data is the leading cause of breaches. Each year, more of our employees access company data remotely, sometimes through unsecured personal devices. True zero trust protocols will help us remedy the situation, lowering the risk of data breaches that so many of us are facing.
However, people are misunderstanding and confusing what zero trust is. As I’ve come to see all too often, shoddy marketing is largely to blame. Zero trust isn’t a single product. Marketers inundate businesses with offers of complete zero trust solutions, but often fail to understand zero trust as anything more than a buzzword. No one can sell you a zero trust solution, just like no one can sell you the perfect body. We have to adopt best practices as one would a healthy diet and exercise, with adherence to the best practices creating a more robust security environment for their data. Promises of zero trust creating a breach-proof security system are also unrealistic. My experience has led me to conclude that no security solution is infallible, and it’s best to take a pessimistic view of your security protocols to spot potential flaws.
The Key Benefits, Weaknesses, and Obstacles of Zero Trust Environments
Having worked with companies of all sizes, I’ve seen the common obstacles zero trust frameworks attract. Organizational silos, budget concerns, development times, and work-culture pushback can hinder a company’s ability to implement a zero trust framework properly. Some of these obstacles have solutions. A Forrester Total Economic Impact™ study commissioned by Microsoft found that zero trust frameworks can have a 91% ROI, mitigating the budgetary obstacle many companies face. Other issues are more difficult to solve. Zero trust resets permissions and reevaluates which employees need access to which sets of data. Inevitably, that means that some employees will wind up with fewer permissions, which can cause work culture friction.
The National Institute of Standards and Technology’s (NIST) research into the benefits and weaknesses of zero trust practices is one of the best resources for properly defining the topic and its minutia for companies to read. Insider threats, DDoS attacks, and stolen credentials underscore the primary challenges that zero trust environments face. However, enterprises can meet these challenges by appropriately maintaining and configuring a network.
We have to consistently work to maintain zero trust best practices, but there are tangible benefits. Zero trust reduces attack surface, limits the possibility for data exfiltration, and improves both cloud and on-prem security posture. However, protecting both our and consumers’ data is perhaps the most important aspect of zero trust. 81% of Americans believe the potential risks of data collection outweigh the benefits, and regulations like GDPR have introduced severe ramifications for companies that allow data breaches to happen.
In the court of public opinion and the court of law, no company can afford the type of data breaches that zero trust can help prevent. It isn’t a flawless solution, but zero trust can save enterprises money even if a breach transpires. An IBM study found that breaches cost $1.76 million less for companies using zero trust principles.
How to Create an Ideal Zero Trust Environment
Again, zero trust isn’t a single product or solution. Zero trust is a set of protocols that measure data points against purported user credentials to authenticate a user’s identity, thus protecting essential data against potential breaches. We have to actively manage our zero trust protocols to create an ideal environment, which we accomplish by introducing a few distinct elements.
Multi-Factor Authentication
Multi-factor authentication (MFA) is one baseline component of zero trust. Microsoft has gone so far as to posit that “MFA will eventually eliminate the need for passwords,” largely thanks to advances in biometric and “passwordless” technologies.
Identity Access and Management
Consistent Identity Access and Management (IAM) practices are a crucial aspect of maintaining a healthy zero trust environment. Caution, you should have the resources to manage such a system, as it will make it far easier to define normal behaviors, find erratic behaviors, and prevent breaches. The most common initial attack victor is compromised credentials, which IAM helps address. This gives companies time to close off potential vulnerabilities and can prevent an incident from causing serious harm, and in the case of IoT devices, such as medical devices or environmental sensors, this could include physical harm or even death.
Edge Microsegmentation
Enterprises are limiting bad actors’ ability to wreak havoc on a network with a simple but extremely effective approach - by hiding the network. We built Byos not just to isolate connected devices on the network, but to also make them invisible. In this way, endpoints that have been compromised by an adversary cannot contact their peers, thus preventing an attack from spreading. Typically, bad actors have moved malware from their first compromised endpoint to every other device they can find on the network. Thanks to the way we isolate and cloak devices, those bad actors can’t use compromised devices for lateral attacks, microsegmentation also blocks devices from piggybacking on approved data requests, making it an essential part of a complete zero trust strategy.
If you’d like to learn more about how Byos can improve your zero trust posture, contact us today.