Cybercrime is a major threat to every industry and organization in the world. No wonder global entities are desperately seeking a silver bullet that can somehow neutralize cybersecurity threats. Right now, the cybersecurity industry is abuzz with “zero trust,” a catchphrase described as a panacea for all security woes. Even the Biden administration announced a zero-trust framework for all federal networks and systems. That said, there is growing confusion surrounding the topic, so businesses should understand what zero trust is and isn’t.
What is ‘zero trust?’
Today’s networks have evolved from being contained environments to becoming vast decentralized architectures. In line with this evolution, “zero trust” is an evolved security concept that aims to shift the focus away from the traditional perimeter model to a data-centric one. Essentially, it provides a more proactive response to the protection of resources.
Think of it this way: Your crown jewels (data) are in your house, and the fence, main door and windows are designed to protect your crown jewels. Should attackers bypass these traditional defenses, there isn’t a mechanism in place to sound an alarm when they move from room to room hunting for targets. Zero trust is designed to do just that, via the principle of “never trust, always verify.” Zero trust aims to minimize lateral movements (techniques used to move across the network) of cyber attackers.
Given a perimeter-less environment, think of zero-trust as additional sensors that help provide faster breach detection, better control and greater insight into network activity.
Five Common Myths And Misconceptions About Zero Trust
I’ve found there are a number of misconceptions business leaders often hold surrounding zero trust. Here are the top five:
Myth 1: Zero trust means you don’t trust people.
Zero trust does not imply that businesses must not or will not trust their employees. It’s actually about authenticating and validating any access request before authorizing access to the resource. Instead of defaulting to trusted access, zero trust treats the network as a hostile environment (including security devices like firewalls) in which all requests to resources are considered as potential escalations or breach attempts.
Myth 2: Zero trust is something you can buy off-the-shelf.
Zero trust isn’t a product that, once purchased, can automatically transform the buyer into a zero-trust organization. Even though there are several products on the market that certainly claim to do so, no single product in isolation can create a zero-trust environment. Zero trust isn’t a product feature or an architecture component but an entire security strategy. It’s not a switch that can be turned on or off.
Myth 3: Zero trust is just good security basics.
There is probably some element of truth in the idea that zero trust is about getting “security basics done right.” However, it’s more than that. It’s about a shift in mindset, a culture change, a top-down commitment from the entire organization. Much like digital transformation, zero trust is a radical shift in how the organization does things and needs to be executed after a great deal of planning and long-term perspective in mind.
Myth 4: Zero trust is all about identity.
The idea of zero trust did originate from identity and access management. However, to call it just that is an oversimplification. Identity in a zero-trust world is the new perimeter and can refer not just to an individual but also to a network entity, device or anything that can perform any action. Zero trust can also take into account contextual information like time of day, type of device, location, type of resource, posture checks, etc. while authorizing access to a resource.
Myth 5: Zero trust creates friction.
Security historically has a reputation problem and is sometimes considered counterproductive. This is due to various reasons like misalignments existing between management and security teams with security staff often resorting to a piece-meal approach instead of a holistic one. In the ideal scenario, zero trust has the potential to streamline, adapt and integrate secure behavior, not the other way around. Research shows that almost half of cybersecurity professionals still lack confidence in applying the zero-trust model.
Much like digital transformation, the journey to zero trust will be different for every organization and may require a complete overhaul of the current security mindset, hardware and software to achieve the ideal business outcome. For businesses to maximize the power of zero trust, they must first start with a commitment to cybersecurity, thoroughly understand the concept and carry out a detailed evaluation of the business’s readiness to go down the path of cybersecurity maturity.