The Misconceptions of Zero Trust
Cybersecurity is an industry with a lot of buzz words, which is why we’re kicking off our “Misconceptions of Identity Security” series. One of the most popular terms right now is “Zero Trust.” The concept of “never trust, always verify” makes sense as traditional network boundaries have all but disappeared while threats become more sophisticated and harder to detect. However, there is still no one over-arching construct of what Zero Trust is, and with it come a lot of misconceptions that could actually be detrimental to your cybersecurity plan.
A Brief History of Zero Trust
The term was created in 2010 by Forrester research John Kindervag in a report, “No More Chewy Centers: Introducing The Zero Trust Model Of Information Security.” In it, Kindervag wrote, “There is a simple philosophy at the core of Zero Trust: Security professionals must stop trusting packets as if they were people. Instead, they must eliminate the idea of a trusted network (usually the internal network) and an untrusted network (external networks). In Zero Trust, all network traffic is untrusted. Thus, security professionals must verify and secure all resources, limit and strictly enforce access control, and inspect and log all network traffic.”
In the eleven years since the concept of Zero Trust was introduced, its popularity as a security solution has been rising steadily. Check out the agenda for any cybersecurity conference of the past three or four years, and you’ll see plenty of sessions on Zero Trust.
“Despite its overuse as a marketing term, zero trust’s popularity raises awareness about problems with how we’ve been approaching security and draws attention to areas of weakness, which is valuable,” Evan Gilman, co-author of Zero Trust Networks, told TechTarget.
What Exactly Is Zero Trust?
Although “never trust, always verify” seems straight forward, IT and security leaders and vendors have not yet pinned down a singular definition on what Zero Trust is, leading to confusion and misconceptions.
According to Steve Turner, a Forrester analyst, Zero Trust is a security strategy, not a security solution. “Organizations need to build a strategy to get to a Zero Trust architecture that encompasses more than technology and buzzwords,” he said in a blog post.
Gartner defined Zero Trust “as an adjective to classify specific implementations, such as Zero Trust Network Access, or ZTNA, which describes client-to-application transactions without the need for inherently trusted networks,” according to Info-Security Magazine.
Others see Zero Trust as a tool to include in their cloud offerings or a replacement for VPNs or a PAM solution. Until there is a true definition, it’s difficult to identify what the right Zero Trust approach is, and as long as that confusion is there, it will be almost impossible to pin down the best Zero Trust strategy or tool.
“I’m Zero Trust!” “No, I’m Zero Trust!”
Without a clear-cut, industry-wide definition, it allows cybersecurity vendors to claim they use Zero Trust in their platforms, but again, that offers a broad range of what Zero Trust focuses on.
Without a traditional perimeter to protect, the focus on security turns to data. The perimeter for data is identity. Yet, some companies have narrowed that approach to only focus on user verification and/or authentication rather than for all identities and all markers of identity. Credential theft has made it easier for threat actors to use real verification methods to mimic an identity. Zero Trust has to go deeper to recognize identities in context.
“If Zero Trust was equal to MFA (as many vendors claim), then neither the Snowden nor Manning breaches would have been able to happen. They had very robust MFA and identity solutions, but no one looked at their packets post-authentication,” Kindervag told TechRepublic.
Going Beyond Identity
Zero Trust begins with confirming identities, but it is also essential to secure machines and devices on the corporate network and confirm and protect digital transactions. NIST published a standard for Zero Trust architecture, which offers a guideline for building what’s needed to create a Zero Trust framework.
What your Zero Trust architecture should aim to accomplish is verification of everything touching the network – every user, device, interaction, workload, application, etc. That includes relying on tools that offer passwordless authentication (nothing is less trustworthy than passwords, after all), secure management of every machine accessing the network (eliminating threats coming from Shadow IT and BYOD), and verification of legitimate versus phishing email.
The passwordless authentication should be applied across the entire corporate network landscape. Admittedly, this is easier said than done because users are accustomed to password login and businesses struggle to find the right tool to offer passwordless options. Enter public key infrastructure (PKI) certificates, which supports multi-factor authentication with digital signatures and encryption for every device, user, and application.
PKI certificates help to verify every email, letting users verify between legitimate messages and phishing scams, for example. It also lets companies keep up with the speed of the digital transformation, with more devices and applications with network access. Traditionally, each device and application would be one more password. With a cloud-based, automated PKI solution, companies can scrap the password and apply a real Zero Trust solution.
Zero Trust is for any company, no matter its size. You don’t need to rip out your current security infrastructure and replace it with an entirely new architecture, but instead build on the foundation that is already there. Zero Trust is an ideal solution for on-premise deployment and for cloud.
Zero Trust continues to evolve as the threat landscape evolves, but as long as data needs protected and identities make up the new perimeter, the concept of never trust, always verify is a good place to build a security strategy.
More questions on Zero Trust? Reach out to our team to get your questions answered.