Security Experts:

Connect with us

Hi, what are you looking for?


Risk Management

The Security Spending Paradox

A Zero Trust Security Model Allows Organizations to Align Their Security Investments With What Works Best

A Zero Trust Security Model Allows Organizations to Align Their Security Investments With What Works Best

In a few weeks, security professionals from all around the world will descend on San Francisco for RSA Conference 2018 to discuss new approaches to information security and how to prevent being victimized by cyber-attacks. As always, the expo halls will be filled with the latest technologies, ranging from Artificial Intelligence, Container Security, Threat Intelligence, and Threat Hunting to Next-Gen Endpoint Security. But are these emerging technologies providing the effectiveness that is needed to defend against today’s dynamic cyber threats?

According to Gartner, worldwide security spending will reach $96 billion in 2018, up 8% from the 2017 spend of $89 billion. This statistic confirms that organization are incorporating emerging technologies in their existing security stack to minimize their cyber risk exposure. Meanwhile we’re experiencing a continuous increase in security incidents. Are these security investments paying dividends? 

The security spending paradox is reflected in several recent research studies. For example, a Dow Jones Customer Intelligence study finds that 62 percent of CEOs believe malware is the biggest threat to their organization. In another report, the  2018 Scalar Security Study, respondents rate Network Security (61%) or Traditional Endpoint Protection (49%) of higher (perceived) effectiveness than identity assurance and access controls (18%). Similar results were published by 451 Research in the 2018 Thales Data Threat Report, where network security (83%) and endpoint security (70%) scored highest in perceived effectiveness. These incongruent findings illustrate a lack of consensus in the industry on which attack vectors pose the biggest risk to organizations and the “identity crisis” in security. 

Many organizations don’t realize the impact that identity and access management has when it comes to minimizing the risk of suffering a data breach. A post-mortem analysis of the top data breaches in 2017, reveals that compromised identity was the primary vector in these cyber-attacks. As a matter of fact, a whopping 81% of hacking-related breaches leverage either stolen, default, or weak passwords.

In this context, organizations need to recognize that perimeter-based security, which focuses on securing endpoints and networks, provides no protection against identity and credential-based threats. Until we start implementing identity-centric security measures, account compromise attacks will continue to provide a perfect camouflage for data breaches. 

Still not convinced? Let’s look at some of the vulnerabilities that could be avoided by implementing identity-centric security measures:

● Insecure and publicly kept passwords;

● Using the same password across different applications and resources;

● One shared password for an entire group (e.g., admins), saved in a central location;

● Reliance on passwords rather than multiple factors (e.g., one-time password tokens, soft tokens, biometrics); and

● Over privileged user accounts being exploited.

Instead of following the traditional approach of “trust, but verify”, organizations should shift instead to a Zero Trust Security model, which assumes that users inside a network are no more trustworthy than those outside the network. The four main pillars of the Zero Trust Security model are: 

● Verify the User: Evaluate the security posture of a user based on location, device, and behavior to determine that users are who they say they are. Take the appropriate actions (i.e., multi-factor authentication) to assure user authenticity.

● Verify their Device: Whether it’s a corporate owned, BYOD, or public desktop, laptop, or mobile device, enforce access policies based on the device identity and security posture. Only allow access to the organization’s resources from trusted endpoints.

● Limit Access and Privilege: If the user and device are verified, a least privilege, role-based access model is enforced at the resource, limiting access to what each user requires for their job, while granting just-in-time access to specific applications and infrastructure for a limited timeframe.

● Learn and Adapt: Information is constantly being generated from various sources (from the user, their devices, and all activities related to them). Leverage machine learning to set contextual access policies, as well as adjust and adapt policies automatically.

The Zero Trust Security model offers a very pragmatic blueprint for implementing identity and access management-based strategies to secure applications, devices, data, and infrastructure – both on-premise and in the cloud. Since Zero Trust is not an all-or-nothing approach, it can be implemented in different phases, over time. Using this model, organizations can finally align their security investments with what works best for protecting their business
against data breaches.

Written By

Torsten George is a cybersecurity evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Risk Management

A threat-based approach to security often focuses on a checklist to meet industry requirements but overlooked the key component of security: reducing risk.

Risk Management

CISA has published a report detailing the cybersecurity risks to the K-12 education system and recommendations on how to secure it.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


More than 4,000 internet-accessible Pulse Connect Secure hosts are impacted by at least one known vulnerability, attack surface management firm Censys warns.

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem