Security Experts:

Connect with us

Hi, what are you looking for?


Identity & Access

Cyber Security’s New Center Point: Zero Trust

Every year, thousands of companies are breached and billions of data records exfiltrated by cyber adversaries, leading in extreme cases to business closures, geopolitical setbacks, or citizens’ loss of confidence in the integrity of their countries’ electoral procedures.

Every year, thousands of companies are breached and billions of data records exfiltrated by cyber adversaries, leading in extreme cases to business closures, geopolitical setbacks, or citizens’ loss of confidence in the integrity of their countries’ electoral procedures.

When conducting post-mortem analysis, it becomes apparent that none of these breaches were highly sophisticated. Instead, they exploited weak, stolen, or compromised credentials. Identities and the trust we place in them, are being used against us. They have become the Achilles heel of our cyber security practices. To address these shortcomings, the use of a Zero Trust model has gained a lot of industry momentum over the last year. According to IDG’s 2018 Security Priorities Survey, 71 percent of security-focused IT decision makers are aware of the Zero Trust model, with already 8 percent actively using it in their organizations, and 10 percent piloting it. 

The Zero Trust model, first introduced in 2010 by Forrester Research in collaboration with the National Institute of Standards and Technology (NIST), is not a new concept. Based on research findings, Forrester analyst John Kindervag concluded that inherent trust assumptions in traditional security measures leave organizations vulnerable to external and internal attacks. Zero Trust is a security concept centered on the belief that organizations should not inherently trust entities inside or outside its perimeters, and instead should verify all request to connect to its systems before granting access. 

The original concept of Zero Trust was a data-centric network design that leveraged micro-segmentation to enforce more granular rules and ultimately limit lateral movement by attackers. Since its inception, the concept of Zero Trust and its benefits have evolved significantly. Nowadays, Zero Trust is being used by organizations to drive strategic security initiatives and enable business decision makers and IT leaders to implement pragmatic prevention, detection, and response measures.

The Zero Trust eXtended Ecosystem

The biggest evolution of the Zero Trust model has been captured by Forrester Research analyst Dr. Chase Cunningham, who published the Zero Trust eXtended (ZTX) Ecosystem report, which extends the original model beyond its network focus to encompass today’s ever-expanding attack surface and the following elements and associated processes: 

• Networks – Segment, isolate, and control the network.

• Data – Secure and manage the data, categorize and develop data classification schemas, and encrypt data both at rest and in transit. 

• Workloads – Apply Zero Trust controls to the entire application stack, covering the app layer through the hypervisor or self-contained components of processing (i.e., containers, virtual machines). 

• Devices – Isolate, secure, and always control every device on the network.

• People (a.k.a. Identity) – Limit and strictly enforce the access of users and secure those users.  

Applying security controls to each of the above-mentioned elements provides a roadmap to Zero Trust. However, one driving principle should be the knowledge that the easiest way for cyber-attackers to gain access to sensitive data is by compromising a user’s identity. Things get even worse if a stolen identity belongs to a privileged user who has even broader access, or “the keys to the kingdom”. In fact, 80 percent of security breaches involve privileged credentials, according to Forrester Research. 

The Path to Zero Trust Starts with Identity 

To limit an organization’s cyber risk exposure to the #1 cause of today’s data breaches ― privileged access abuse ― consider the following actions:

1. Discover and Vault – Identify all privileged accounts and resources and vault away those privileged credentials so that they are properly managed. 

2. Identity Consolidation with Least Access and Privilege – But vaulting alone is not enough. Phase two involves reducing the attack surface by consolidating identities and eliminating local accounts as much as possible, then implementing both privilege elevation controls, as well as workflow for just-in-time privilege access. One of the lowest hanging fruits is to implement basic multi-factor authentication (MFA) for all privileged users.

3. Harden the Environment with High Assurance – The final phase involves hardening the environment by air-gaping admin accounts as recommended in the Microsoft Enhances Security Administration Environment (ESAE) guidelines. In addition, lock down any dangerous workarounds by implementing host-based monitoring and advanced behavioral analytics, as well as adding Assurance Level-3 MFA for the most sensitive environments.

Shifting traditional perimeter-based enterprise security strategies to a Zero Trust approach provides more robust prevention, detection, and incident response capabilities to protect continuously expanding attack surfaces, including cloud, big data lakes, DevOps, containers, and microservices. Following this path allows organizations to defend against advanced threats and limit the impact of breaches, supports new business and operational models, and enables compliance (e.g., FISMA, HIPAA, PCI).

Written By

Torsten George is a cybersecurity evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Security Architecture

ChatGPT is increasingly integrated into cybersecurity products and services as the industry is testing its capabilities and limitations.

Network Security

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud,...