Debunking Five Myths about Zero Trust

When conducting post-mortem analysis, it becomes apparent that the majority of today’s data breaches are not highly sophisticated. Cyber-criminals no longer hack into enterprise networks, they simply log in using weak, stolen, or otherwise compromised credentials.

Once inside the target network, they expand their attack and move laterally, hunting for privileged accounts and credentials that help them gain access to the organization’s most critical infrastructure and sensitive data. 

It only takes one compromised credential to potentially impact millions -- of individuals and/or dollars. Undeniably, identities and the trust we place in them are being used against us.

According to a recent study by Centrify, 74 percent of respondents whose organizations have been breached acknowledged that it involved access to a privileged account. This aligns with Forrester Research’s estimate that, “at least 80 percent of data breaches have a connection to compromised privileged credentials.”

Zero Trust, a concept introduced in 2010 by Forrester in collaboration with the National Institute of Standards and Technology (NIST), demands that organizations not inherently trust entities inside or outside its perimeters, instead should verify all requests to connect to its systems before granting access. Zero Trust is an antidote for outdated security strategies, but its evolution over the last decade and recent buzz have created some misconceptions that are impeding adoption. 

Myth #1: Zero Trust has Jumped the Shark
After going dormant for years, the Zero Trust model has returned to the spotlight with recent analyst endorsements, vendor hype, and success stories from early adopters like Google. The latest contribution to the Zero Trust model comes from the Identity Defined Security Alliance (IDSA), an industry alliance of over two-dozen identity and security vendors, who have augmented the definition of Zero Trust to align with identity-centric security principles, with success stories from Adobe and LogRhythm.

According to IDG’s 2018 Security Priorities Survey, 71 percent of security-focused IT decision makers are aware of the Zero Trust model, and eight percent are already actively using it in their organizations, while another ten percent are piloting it. Thus, we’re still in the early stages of the hype cycle with adoption expected to rise even further in the years to come.

Myth #2: Zero Trust is Solely Focused on Networks
The Zero Trust model was initially focused primarily on network segmentation and least privilege, but it has evolved into a complete framework with practical guidance for implementing a complete strategy for any organization.

This evolution accounts for technological advancements like cloud, Big Data, containers, micro services, etc. Forrester analyst Dr Chase Cunningham captured this in the Zero Trust eXtended (ZTX) Ecosystem report, which extends the original model to encompass today’s ever-expanding attack surface and the following elements and associated processes: 

  • Networks
  • Data
  • Workloads
  • Devices
  • People (also known as Identity)

Myth #3: Zero Trust Means Starting with No Access
When introduced to Zero Trust for the first time, most people look puzzled saying there’s no such thing - with Zero Trust you wouldn’t be able to do anything. That’s reasonable when you interpret the phrase literally and out of context. 

However, Zero Trust doesn’t block access, but rather acknowledges that untrusted actors are already present inside the network. In turn, the initial steps in your Zero Trust strategy should be focused on:

  • Granting access by verifying who is requesting access
  • Understanding the context of the request
  • Determining the risk of the access environment
  • Auditing everything
  • Applying adaptive security controls

Myth #4: Zero Trust Means You Don’t Trust Your Employees
In the past, security practitioners trusted that insiders would always do the right thing and therefore focused most of their attention on keeping the untrusted outsiders out and often basing their trust on validating IP addresses that have no real tie back to a user.

Today, this perimeter is indefensible. In a Zero Trust environment, the concept of trusted insiders versus untrusted outsiders is irrelevant and we must accept the network as a hostile place - all users are on the network. The paradigm of implicit trust represents a huge vulnerability - one that attackers recognize very well and explicitly target.

With Zero Trust, security practitioners assume a Zero Trust baseline for their users but elevate trust and grant additional rights based on confidence. A confidence level is a continuum that can more easily be assessed and continuously adapt. It can take many contextual data points into consideration such as location, time of day, device being used, or the degree to which the user’s behavior is considered “typical” for their role.

The degree of confidence might, for example, be high, medium, or low, or one through 10. A variety of outcomes can then be considered based on that ranking. 

Myth #5: Zero Trust Creates Bad User Experiences
The main impediment for adoption of identity-based security measures in the past has been the perceived impact on the productivity and agility of users. 

That’s where the use of risk-based authentication and machine learning technology comes into play. Risk-based authentication uses machine learning to define and enforce access policy, based on user behavior. Through a combination of analytics, machine learning, user profiles, and policy enforcement, access decisions can be made in real time, like eliminating authentication challenges for low risk access, stepping up authentication when risk is higher, or block access entirely. 

Perimeter-based security, which focuses on securing endpoints, firewalls, and networks, provides no protection against identity and credential-based threats. Until we start implementing identity-centric security measures, account compromise attacks will continue to provide a perfect camouflage for data breaches.

What’s Hot on Infosecurity Magazine?