Zero trust is the Buzzword for cybersecurity today. As a result, the market is brimming with “zero trust” solutions. What is it exactly? What solutions should you choose? Making sense of it all, for any company, can be a daunting task. But what’s more, as experts and leaders continue to urge businesses to move to zero trust security, many argue that zero trust is no silver bullet for cybersecurity.
So, what is the answer? First, we need to take a closer look at zero trust.
What is Zero Trust?
The zero trust model, or zero trust architecture, is a cybersecurity approach that grants users access to networks and resources only when their identities and permissions for access have been verified. This means they are authenticated for access not just once, but continuously, for every user throughout the network, and from wherever they are located.
The National Institute of Standards and Technology (NIST) has the most widely-accepted definition: “Zero trust is the term for an evolving set of cyber security paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources. Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location.”
It is also a widely accepted truth that the old castle-and-moat security model – where anyone inside a protected corporate perimeter is trusted – is no longer working.
Some time ago, in our work with Citrix, we put together a video that illustrates the difference between zero trust and perimeter-based security.
In fact, ‘legacy’ methods of Implicit Trust – contrary to zero trust frameworks – have resulted in many costly security breaches around the world. Once inside the perimeter, attackers are often able to easily move laterally across networks.
With remote workforces and various devices being used for access to company resources from Anywhere, experts and government leaders, including the White House, consider it necessary to move to zero trust for security.
Market Growth:
Demand for zero trust is on the rise and is expected to continue to grow. According to a report by Expert Market Research, the global zero trust security market was valued at about $22.99 billion in 2021 and is expected to reach $59.89 billion by 2027.
The major factors driving the market include the growing frequency of target-based cyber-attacks and increasing regulations for data protection and information security.
Cause for concern: Here are just a few eye-opening stats about cybercrime:
- 45% of global organizations will be impacted in some way by a supply chain attack, analyst firm Gartner predicted
- The cost of cybercrime is predicted to hit $8 trillion in 2023 and will grow to $10.5 trillion by 2025, according to Cybersecurity Ventures’ “2022 Official Cybercrime Report”
- The average cost of a cyber-attack was $10 million in 2022. (The recent T-Mobile attack cost $350 million).
- The human element is the most common threat vector; it was the root cause of 82% of data breaches, according to Verizon’s “2022 Data Breach Investigations Report.”
Despite the heightened attention to zero trust architecture as the solution to cybersecurity problems, many argue that even with products in place that support zero trust, cyber-attacks can be successful.
Let’s take a look.
How Can Zero Trust be Compromised?
- Poor implementation: Even if a zero trust framework is in place, it may not be properly implemented or configured, leaving vulnerabilities in the system.
Experts like David Holmes, senior analyst at Forrester Research, advise companies to make sure zero trust deployments are actually replacing legacy systems.
“For example, instead of just buying and deploying ZTNA, ensure that [the] VPN is also deprecated,” Holmes told CNBC. “If a micro-segmentation project is deployed, ensure that it gets put into enforcement mode and not just alerting mode.”
- Insider threats: Even if all external devices and users are verified, internal actors may still be able to cause harm to the network.
Using phishing-resistant MFA that is inherent in the system (i.e., not simply layered on top of Phishable factors like passwords or OTPS) that is tied directly to the user and verified at every step, will help guard against insider threats when users are automatically de-provisioned as soon as they are no longer employees.
- Lack of monitoring: A zero trust framework relies on continuous monitoring to identify and respond to threats. If monitoring is inadequate, threats can go undetected.
- Phishing and social engineering: Attackers may use phishing and social engineering tactics to trick users into providing login credentials or other sensitive information, bypassing the zero trust framework.
Once again, it is critical to deploy Phishing-Resistant MFA as a part of your zero trust framework. If there is no Phishable factor, such as a password, or one-time passcode (OTP) to phish, we always say, “You can’t Phish for something that doesn’t exist!”
- Zero-Day Vulnerabilities: Zero-day vulnerabilities are unknown or undisclosed vulnerabilities that attackers can exploit. Even if a zero trust framework is in place, these vulnerabilities can be used to gain access to the network.
In Conclusion
Now that we know there is no silver bullet, do we just give up? Absolutely not! We must strive to use the best solutions available across all aspects of the framework. We also must not accept that what we have put in place is final. Rather, we must re-evaluate, modify, and upgrade as necessary.
A zero trust framework is not a silver bullet for cybersecurity, but rather a set of best practices to be applied to reduce the risk of successful attack. All of it starts with education and training – ensuring that teams are aware, not only of the modern tools available but also of good Cyber Hygiene. Experts like Forrester’s David Holmes suggest that companies start with the basics, such as identity and access management (IAM), multi-factor authentication (MFA), and single sign-on (SSO).
TraitWare
TraitWare was built from the ground up with zero trust architecture. Our team began with a vision to rid the world of the frustrations and insecurity that come with passwords, then moved into improving multi-factor authentication (MFA) by eliminating the need for Phishable factors from login – entirely. Our patented passwordless phishing-resistant native MFA solution meets and exceeds CISA’s Gold Standard.
For more information on how TraitWare can help tackle your company’s move to zero trust with modern technology for greater security and ease of use, please get in touch and we’ll have you up and running in a few clicks.