Security Experts:

The (Re-)Emergence of Zero Trust

As we enter 2019, we’re still facing massive cyber-attacks that expose the sensitive data of millions of people and impact businesses both from a reputational and material perspective. To address these challenges, the use of a Zero Trust model has returned to the spotlight after more and more analyst firms provided their stamp of approval. Contributing to the momentum, early adopters like Google have published Zero Trust success stories, detailing the benefits it has provided when it comes to minimizing their cyber risk exposure. 

The Zero Trust model, first introduced in 2010 by Forrester Research in collaboration with the National Institute of Standards and Technology (NIST), is not a new concept. Instead of using the traditional approach of “trust, but verify”, the Zero Trust model implements "never trust, always verify" as its guiding principle. The Zero Trust model is based on the following three pillars: 

• Ensuring that all resources are accessed securely, regardless of location (in other words, there is no longer a trusted zone).

• Applying a least privilege strategy, and strictly enforcing access control. In Zero Trust, all users are initially untrusted. 

• Inspecting and logging all traffic. Even traffic originating on the LAN is assumed to be suspicious and is analyzed and logged just as if it came from the WAN.

Industry Momentum for Zero Trust

Since its inception, the concept of Zero Trust and its benefits have evolved significantly. Nowadays, Zero Trust is being used by organizations to drive strategic security initiatives and enable business decision makers and IT leaders to implement pragmatic prevention, detection and response measures. 

Zero Trust is the talk of the security industry, with many thought leaders embracing and using it to market and position their products, as well as guide their future road maps. Several recent M&A transactions were even driven by the desire to incorporate Zero Trust capabilities into the acquirer’s technology portfolio (e.g., Cisco’s $2.35 billion acquisition of Duo Security, Okta’s acquisition of ScaleFT). And while not all analyst firms use the same Zero Trust nomenclature, most, including Gartner (which promotes the term CARTA – Continuous, Adaptive, Risk and Trust Assessment), 451 Research, and KuppingerCole embrace the Zero Trust approach for addressing today’s threat scape.

In addition, Zero Trust has evolved from being a concept to a security framework that is being used by a growing number of businesses and government agencies. According to IDG’s 2018 Security Priorities Survey, 71 percent of security-focused IT decision makers are aware of the Zero Trust model, with already 8 percent actively using it in their organizations and 10 percent piloting it. 

The Path to Zero Trust Starts with Identity

While implementing Zero Trust is a journey that cannot be achieved over night, it also doesn’t require a complete redesign of existing network architectures like the one performed by Google. It can be achieved by gradually modifying current infrastructures over time. From a technology perspective, the Zero Trust framework consists of a variety of components designed to secure the network, data, workload, people/workforce, and devices while providing visibility into security threats, automate and orchestrate remediation, and interconnect via APIs.

There are many starting points on the path to Zero Trust. However, one driving principle should be the fact that the easiest way for cyber-attackers to gain access to sensitive data is by compromising a user’s identity. Things get even worse if a stolen identity belongs to a privileged user who has even broader access, or “the keys to the kingdom”. In fact, 80 percent of security breaches involve privileged credentials, according to Forrester Research. In addition, 65% of enterprises allow for the unrestricted, unmonitored, and shared use of privileged accounts, according to Gartner.

Until organizations start implementing identity-centric security measures, account compromise attacks will continue to provide a perfect camouflage for data breaches. For most organizations, the path to Zero Trust should start with identity. In fact, Gartner recommends putting Privileged Access Management on top of an organization’s list of security projects. 

Acknowledging that untrusted actors are already present inside the network involves moving towards a security model based on granting least privilege access. This Zero Trust Privilege approach implements the following elements:

• Verify Who

• Contextualize the Privileged Access Request

• Establish a Secure Admin Environment

• Grant Least Privilege

• Audit Everything

• Apply Adaptive Security Controls

Ultimately, Zero Trust challenges and eliminates the inherent trust assumptions in traditional security measures that leave organizations vulnerable to external and internal attacks. With privileged access abuse being the #1 cause of today’s breaches, organizations considering a Zero Trust model should start their journey by investing in identity-related technologies. 

view counter
Torsten George is currently a security evangelist at Centrify. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He has more than 20 years of global information security experience and is a frequent speaker on cyber security and risk management strategies. Torsten regularly provides commentary and publishes articles on data breaches, incident response best practices, and cyber security strategies in media outlets. He has held executive level positions with RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).