Don’t Put All Your Trust in “Zero Trust”

by | Opinion

When it comes to personal issues like losing weight or curing illness, we all love the idea of the “silver bullet”—a perfect, easy solution that solves all problems instantly. And let’s face it, the business world isn’t much different. Who wouldn’t love to hear that there is a “killer app” that can solve all your problems at once? Unfortunately, life is almost always more complicated.

A buzzword you’ve probably heard a lot recently is “zero trust.” Supposedly, embracing the zero trust model will guarantee that your data is protected. No more worries about seeing your name in the headlines as the latest victim of a hack. Life is beautiful!

There’s no doubt that zero trust has a lot to offer when it comes to strengthening your security posture. But it’s essential that you go in with your eyes wide open. Can zero trust improve your cybersecurity? Very possibly! Is it a silver bullet that renders all other efforts obsolete? Alas, the answer is a definite “no way.”

Let’s look at zero trust in detail. What is it, what are its benefits, and what are the potential pitfalls you need to be aware of.

What is Zero Trust?

Zero trust is an approach to security that assumes that threats exist both inside and outside the network. It operates on the fundamental principle of “never trust, always verify.” Unlike traditional security models that place trust in users and devices once they are inside the network perimeter, zero trust continually verifies and authenticates every user, device, and application, regardless of location.

Think of it this way: traditional cybersecurity functions a bit like the protections around a medieval castle. Sure, you’ve got high walls and a moat with some alligators in it…but once you get past those protections, everything is basically open. The zero trust model doesn’t get rid of the moat, but it adds gates, locked doors, and inquisitive guards inside the castle walls.

The Development of Zero Trust

The zero-trust concept didn’t spring fully grown from the head of Zeus; it has evolved over the years in response to the changing threat landscape and the shortcomings of traditional security models. The term was coined by John Kindervag, a Forrester Research analyst, in 2010. Kindervag realized that the traditional perimeter-based security approach was no longer effective against advanced threats, such as insider threats and targeted attacks.

The zero-trust model gained momentum as organizations began to acknowledge its effectiveness in countering modern cybersecurity threats. In 2018, the National Institute of Standards and Technology (NIST) released a Special Publication on Zero Trust Architecture, further validating its significance in the cybersecurity domain.

Benefits of Zero Trust

Many cybersecurity experts are singing the praises of zero trust lately, and for some very good reasons.

1. Enhanced Security Posture

The primary benefit of zero trust is its ability to provide a more robust and resilient security posture. By constantly verifying and authenticating users and devices, organizations minimize the risk of unauthorized access to sensitive data and systems.

2. Granular Access Control

Rather than relying on broad, network-wide permissions, zero trust allows organizations to implement granular access controls. Organizations can define and enforce fine-grained access policies based on user roles, device trustworthiness, and contextual information.

3. Improved Compliance

Many industries and regulatory bodies require strict compliance with security standards. Zero trust can help organizations meet these requirements by providing a comprehensive framework for security controls and monitoring.

4. Adaptability and Flexibility

Zero trust is not limited by the physical network perimeter. It adapts to the modern workplace and its varied computing environments, which includes remote work, mobile devices, and cloud-based services. This flexibility allows organizations to embrace new technologies without compromising security.

5. Reduced Attack Surface

With zero trust, the attack surface is significantly reduced. In other words, attackers no longer have free rein within the network once they breach the perimeter, making lateral movement more difficult and time-consuming.

Challenges and Downsides of Zero Trust

Numerous surveys have found that companies of all sizes and shapes are preparing to jump into zero trust with both feet. That’s all well and good, but it’s important to keep in mind the observations of Gartner analysts in their report on zero trust: more than half of future cyber attacks will be aimed at parts of a network that zero trust does not protect. In the words of analyst John Watts:

There are two big issues with zero trust. One is scope, like legacy technology, or shadow IT. A second big issue is that there are attacks that bypass zero trust controls.

While zero trust offers numerous important advantages, it’s essential to acknowledge the challenges and potential downsides your organization may encounter.

1. Complexity

Implementing a zero-trust architecture can be complex and resource-intensive. It requires a comprehensive understanding of an organization’s network, applications, and user behavior. This complexity can lead to challenges in planning, deployment, and ongoing management.

2. User Experience

The constant need for verification and authentication may create a less seamless (read: frustrating!) user experience. Users may find the frequent login prompts and authentication processes cumbersome, potentially impacting productivity. What’s more, some studies have found that if employees believe their company’s security protocols to be excessive, they often invent their own workarounds. These shortcuts may be time-saving, but they may also make your network less secure than when you started!

3. Third-Party Vendors

It’s a rare business these days that has no interconnections with any outside vendors. What happens when you implement a rigorous zero trust model across your entire network, only to discover that an essential third-party vendor—say, your cloud services—doesn’t have zero-trust capabilities?

4. Cost

Implementing and maintaining a zero-trust architecture can be costly. Organizations need to invest in advanced security technologies, training for staff, and ongoing monitoring and maintenance.

5. False Positives

Zero trust relies heavily on behavioral analytics and anomaly detection. While these methods are effective, they can sometimes generate false positives, leading to unnecessary security alerts and user disruptions.

6. Legacy Systems and Shadow IT

Organizations with legacy systems may face challenges when trying to implement zero trust. Retrofitting older technology can be difficult and costly… and is sometimes not even possible. The notion of shadow IT, as raised by John Watts in the quote above, is also an important consideration. How do you implement zero trust on devices that employees bring from home? (Hint: you probably can’t.)

7. Skill Shortage

Finding cybersecurity professionals with expertise in zero trust can be challenging. As organizations adopt this model, there is a growing demand for skilled professionals who can design, implement, and manage zero-trust architectures.

8. The Human Element

Last but definitely not least are the perpetual risk posed by your own staff—risks that zero trust may mitigate it will never eliminate. As hackers increasingly rely on social engineering (aka, good old-fashioned trickery), the potential for damage will always exist: zero trust can’t always stop a well-intentioned employee from clicking a link they absolutely shouldn’t have. It also can’t necessarily stop an executive with high-level privileges and a grudge against your firm.

Good News and Bad News

The zero-trust model represents a significant advancement in cybersecurity strategy, offering a proactive approach to protect sensitive data and systems. While it brings many benefits, including enhanced security and granular access control, organizations must also consider the challenges and potential downsides.

Ultimately, the decision to embrace zero trust should be based on an organization’s specific needs, risk profile, and resources. It is not a one-size-fits-all solution, but rather a comprehensive security framework that can be tailored to meet the unique requirements of each organization. As the threat landscape continues to evolve, zero trust is likely to play an increasingly critical role in safeguarding digital assets and maintaining the trust of customers and stakeholders. That said, you should never consider zero trust to be a panacea for all your cybersecurity challenges.

At TMG we are guardedly optimistic about zero trust. We would love to talk to you about what the model can and can’t do for your organization. Find out more about our services here, or click the button below to get in touch directly.


Submit a Comment

Your email address will not be published. Required fields are marked *