Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

The (Re-)Emergence of Zero Trust

As we enter 2019, we’re still facing massive cyber-attacks that expose the sensitive data of millions of people and impact businesses both from a reputational and material perspective. To address these challenges, the use of a Zero Trust model has returned to the spotlight after more and more analyst firms provided their stamp of approval.

As we enter 2019, we’re still facing massive cyber-attacks that expose the sensitive data of millions of people and impact businesses both from a reputational and material perspective. To address these challenges, the use of a Zero Trust model has returned to the spotlight after more and more analyst firms provided their stamp of approval. Contributing to the momentum, early adopters like Google have published Zero Trust success stories, detailing the benefits it has provided when it comes to minimizing their cyber risk exposure. 

The Zero Trust model, first introduced in 2010 by Forrester Research in collaboration with the National Institute of Standards and Technology (NIST), is not a new concept. Instead of using the traditional approach of “trust, but verify”, the Zero Trust model implements “never trust, always verify” as its guiding principle. The Zero Trust model is based on the following three pillars: 

• Ensuring that all resources are accessed securely, regardless of location (in other words, there is no longer a trusted zone).

• Applying a least privilege strategy, and strictly enforcing access control. In Zero Trust, all users are initially untrusted. 

• Inspecting and logging all traffic. Even traffic originating on the LAN is assumed to be suspicious and is analyzed and logged just as if it came from the WAN.

Industry Momentum for Zero Trust

Since its inception, the concept of Zero Trust and its benefits have evolved significantly. Nowadays, Zero Trust is being used by organizations to drive strategic security initiatives and enable business decision makers and IT leaders to implement pragmatic prevention, detection and response measures. 

Zero Trust is the talk of the security industry, with many thought leaders embracing and using it to market and position their products, as well as guide their future road maps. Several recent M&A transactions were even driven by the desire to incorporate Zero Trust capabilities into the acquirer’s technology portfolio (e.g., Cisco’s $2.35 billion acquisition of Duo Security, Okta’s acquisition of ScaleFT). And while not all analyst firms use the same Zero Trust nomenclature, most, including Gartner (which promotes the term CARTA – Continuous, Adaptive, Risk and Trust Assessment), 451 Research, and KuppingerCole embrace the Zero Trust approach for addressing today’s threat scape.

In addition, Zero Trust has evolved from being a concept to a security framework that is being used by a growing number of businesses and government agencies. According to IDG’s 2018 Security Priorities Survey, 71 percent of security-focused IT decision makers are aware of the Zero Trust model, with already 8 percent actively using it in their organizations and 10 percent piloting it. 

The Path to Zero Trust Starts with Identity

While implementing Zero Trust is a journey that cannot be achieved over night, it also doesn’t require a complete redesign of existing network architectures like the one performed by Google. It can be achieved by gradually modifying current infrastructures over time. From a technology perspective, the Zero Trust framework consists of a variety of components designed to secure the network, data, workload, people/workforce, and devices while providing visibility into security threats, automate and orchestrate remediation, and interconnect via APIs.

There are many starting points on the path to Zero Trust. However, one driving principle should be the fact that the easiest way for cyber-attackers to gain access to sensitive data is by compromising a user’s identity. Things get even worse if a stolen identity belongs to a privileged user who has even broader access, or “the keys to the kingdom”. In fact, 80 percent of security breaches involve privileged credentials, according to Forrester Research. In addition, 65% of enterprises allow for the unrestricted, unmonitored, and shared use of privileged accounts, according to Gartner.

Until organizations start implementing identity-centric security measures, account compromise attacks will continue to provide a perfect camouflage for data breaches. For most organizations, the path to Zero Trust should start with identity. In fact, Gartner recommends putting Privileged Access Management on top of an organization’s list of security projects. 

Acknowledging that untrusted actors are already present inside the network involves moving towards a security model based on granting least privilege access. This Zero Trust Privilege approach implements the following elements:

• Verify Who

• Contextualize the Privileged Access Request

• Establish a Secure Admin Environment

• Grant Least Privilege

• Audit Everything

• Apply Adaptive Security Controls

Ultimately, Zero Trust challenges and eliminates the inherent trust assumptions in traditional security measures that leave organizations vulnerable to external and internal attacks. With privileged access abuse being the #1 cause of today’s breaches, organizations considering a Zero Trust model should start their journey by investing in identity-related technologies. 

Written By

Torsten George is a cybersecurity evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud,...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...