Last Updated: 2nd October, 2019
Zero Trust: It becomes evident that most of today’s data breaches are not extremely advanced when undergoing post-mortem evaluation. Cyber criminals, no anymore hack into corporate networks, they merely log over using credentials that are weak, robbed, or otherwise breached.
They extended their attack and advance laterally already inside the targeted network, foraging for authoritative accounts and credentials which mostly assist them obtain access into the most key infrastructure and sensitive data of the corporation.
It only takes one compromised credential to potentially impact millions – of individuals and/or dollars. Undeniably, identities and the trust we place in them are being used against us.
As shown in the latest Centrify survey, 74 percent of those surveyed whose businesses were breached admitted that access to a privileged account was associated. That’s also accurate with the assumption of Forrester Research which “around at least near 80% of data breaches do have a link to severely compromised privileged records.”
Zero Trust, a concept introduced in 2010 by Forrester in collaboration with the National Institute of Standards and Technology (NIST), demands that organizations not inherently trust entities inside or outside its perimeters, instead should verify all requests to connect to its systems before granting access. Zero Trust is a solution to obsolete security policies, but some misconceptions have been established by its development over the past few decades and latest publicity that hinder compliance.
Zero Trust: Five Misconception Debunked About Zero Trust’s Dependability
Misconception #1: Zero Trust Has Nuke The Fridge
After grounding for years, early adopters such as Google have brought the Zero Trust model back to the forefront with latest analyst accolades, supplier hype and success stories. The latest contribution to the Zero Trust model comes from the Identity Defined Security Alliance (IDSA), an industry alliance of over two-dozen identity and security vendors, who have augmented the definition of Zero Trust to align with identity-centric security principles, with success stories from Adobe and LogRhythm.
According to IDG’s 2018 Security Priorities Survey, 71 percent of security-focused IT decision makers are aware of the Zero Trust model, and eight percent are already actively using it in their organizations, while another ten percent are piloting it. Thus, we’re still in the early stages of the hype cycle with adoption expected to rise even further in the years to come.
Misconception #2: Zero Trust Are Solely Focused On Networks
The Zero Trust model was initially focused primarily on network segmentation and least privilege, but it has evolved into a complete framework with practical guidance for implementing a complete strategy for any organization.
This evolution accounts for technological advancements like cloud, Big Data, containers, micro services, etc. Forrester analyst Dr. Chase Cunningham captured this in the Zero Trust eXtended (ZTX) Ecosystem report, which extends the original model to encompass today’s ever-expanding attack surface and the following elements and associated processes:
- People (also referred to as Identity)
Misconception #3: Zero Trust Means No Access Starting
When it was first implemented to Zero Trust, most folks are confused by the fact that there was no such thing – with Zero Trust you wouldn’t be able to do anything. That’s reasonable when you interpret the phrase literally and out of context.
However, Zero Trust doesn’t block access, but rather acknowledges that untrusted actors are already present inside the network. In turn, the initial steps in your Zero Trust’s strategy should be focused on:
- Granting access by verifying who is requesting access
- Understanding the context of the request
- Determining the risk of the access environment
- Auditing everything
- Applying adaptive security controls
Misconception #4: Zero Trust Means You Don’t Trust Your Employees
In the past, security practitioners trusted that insiders would always do the right thing and therefore focused most of their attention on keeping the untrusted outsiders out and often basing their trust on validating IP addresses that have no real tie back to a user.
Today, this perimeter is indefensible. In a Zero Trust’s environment, the concept of trusted insiders versus untrusted outsiders is irrelevant, and we must accept the network as a hostile place – all users are on the network. The paradigm of implicit trust represents a huge vulnerability – one that attackers recognize very well and explicitly target.
With Zero Trust, security practitioners assume a Zero Trust baseline for their users, but elevate trust and grant additional rights based on confidence. A confidence level is a continuum that can more easily be assessed and continuously adapt.
It can take many contextual data points into consideration such as location, time of day, the device being used, or the degree to which the user’s behavior is considered “typical” for their role.
The degree of confidence might, for example, be high, medium, or low, or one through 10. A variety of outcomes can then be considered based on that ranking.
Misconception #5: Zero Trust Creates Bad User Experiences
The main impediment to adoption of identity-based security measures in the past has been the perceived impact on the productivity and agility of users.
Here’s where the use of threat-based encryption and technology for machine learning comes into the equation. Threat-based encryption is oriented on user behavior, using artificial intelligence to identify and impose access policy.
Access choices can be created in real time through a mixture of analytics, artificial intelligence, user profiles, and policy enforcement, such as removing low-risk access authentication hurdles, moving ahead of authentication once risk is greater, or blocking access absolutely.
Silo-based protection that centers on networks, firewalls and securing endpoints does not provide protection against all of threats based on identity and credentials. So until we actually begin to implement security strategies centered on identity, account compromise threats will remain to provide such an ideal camouflage for data breaches.