“The risk is that if everything is zero trust, then maybe nothing is.” Matthew Prince, CEO of Cloudflare
Cybersecurity is chock-full of acronyms and technical terms. Every week there seems to be a new, buzzy solution that will cure everything from ransomware to the common cold. And right now, nothing has more hype surrounding it than zero trust. The term zero trust has been around since 1994 when computer science professor Stephen Paul Marsh first coined it.
Then, the team at Google announced that they had implemented it on their networks after the Aurora attacks perpetrated by the Chinese government in 2009. It gained traction in 2010 when legendary cybersecurity analyst John Kindervag laid out the definitive framework for companies to move toward a Zero Trust model.
Since then, the phrase zero trust has become so pervasive within the cybersecurity industry that most people have started to doubt its veracity, maligning it as simply a marketing ploy. At every conference, vendors will trot out their latest new software and toys, all claiming that they support zero trust. The demand for zero-trust products is flourishing. Experts predict that the global market for zero trust will double in a few years, reaching over $50 billion by 2026.
The question is, what exactly is zero trust, and is it viable for your enterprise?
Let’s start with the basics. Zero trust is a security framework that assumes no user or device can be trusted by default. All access to resources must be verified, regardless of whether the user or device is inside or outside the network.
You cannot buy zero trust in one package because it’s not one-size-fits-all. Small startups have the distinct advantage of being able to build zero trust architecture (ZTA) into their networks from the beginning. Large enterprises with a complex network, hundreds of accessible applications, and a massive attack surface across multiple individual devices will need a much different, enduring strategy for ZTA to be successful. In addition, many large enterprises are still using legacy technology, which means their systems may not play nicely with the next-gen tech needed to implement zero trust.
According to a recent report from ZScaler, more than 90% of IT leaders said that they are in the process of starting ZTA in the next year. However, only 22% are confident in their ability to implement it. This means that 78% of businesses will fail at Zero Trust.
The reason behind that failure? Many software vendors bamboozle their potential clients with misleading language. Whether they don’t understand the entirety of the zero-trust concept or whether they are simply capitalizing on fear to mislead their customers, these marketing practices fool security leaders into thinking zero trust is easily bought.
Charlie Winckless, an analyst at Gartner, says, “There’s a couple of mistakes many people make in zero trust. First, and probably most common too, is approaching zero trust as something you can buy, a situation abetted by many vendors using the term in their marketing whether it applies to the product or not.”
Here is where intelligent CISOs and CTOs must learn to filter out their vendors’ false promises and white noise. That being said, there are legitimate solutions out there that you can purchase to start your company’s journey toward ZTA. VerSprite’s CEO and cybersecurity guru, Tony UV, recommends the following.
Identity and Access Management:
Identity and access management (IAM) is a framework that facilitates the management of digital or electronic identities. This enables your security team or IT to limit and control user access to information. Standard IAM functions are single sign-on (SSO), two-factor authentication (2FA), and multifactor authentication (MFA).
Zero Trust Network Access (ZTNA):
Zero Trust Network Access, or ZTNA, is a remote-access security solution that only allows users to enter using clearly defined access control policies. ZTNA grants access only to specific services or applications, whereas a VPN gives access to an entire network. With the rise of remote work, a ZTNA solution helps eliminate gaps in remote access technology.
Secure Access Service Edge (SASE)
Secure access service edge (SASE) is a network architecture that combines VPN and SD-WAN capabilities and cloud-native security functions such as cloud access security brokers, firewalls, secure cloud gateways, and zero-trust network access.
Next-generation Firewall (NGFW):
An NGFW is third-generation firewall technology that enforces security policies at the port, protocol, and application levels to detect and block sophisticated attacks. It combines the best capabilities of traditional firewalls and virtual private networks (VPNs) with quality of service (QoS) functionality. They include next-level features such as intrusion prevention, SSL and SSH inspection, deep-packet inspection, and application awareness. The NGFW can see additional context, enabling it to understand and block reputation-based malware and web application traffic details to block suspicious traffic.
Microsegmentation:
Microsegmentation is a security approach that divides a network into segments and applies security controls to each segment based on the segment’s requirements. Microsegmentation software and network virtualization technology create zones in cloud deployments. Each zone isolates workloads and secures them individually with custom, workload-specific policies. That way, with precise security controls, you can protect all virtual machines (VMs) in a network at the granular application level.
Whichever methods and software you choose, start small. Don’t try to implement zero trust all at once.
Using automation can help you reduce the complexity and cost of zero trust.
Zero trust can be seen as an organizing principle for how to stop modern cyberattacks. Sophisticated threat actors are looking to deploy ransomware or steal data. To do so, the hacker must navigate IT environments before reaching that point. With ZTA in play, your technology can shut down a breach at best or at least minimize the damage. Zero trust can’t promise that no attacks will occur, but it does promise that fewer attackers will succeed.
Zero Trust is, above all, an ongoing process. You will constantly need to monitor and adjust. Like the pirate’s code, Zero Trust is more of a set of guidelines than actual rules, but if you’re unsure if the product you’re considering is legitimate, refer to the NIST Guidelines for Zero Trust.
Here is the most straightforward guideline when bombarded with Zero Trust propaganda. If it seems too good to be true, it probably is.
Still unsure about how to implement Zero Trust Architecture in your company? Talk to Tony UV and his trusty band of security experts.
About Tony UV: Founder of VerSprite – a risk-focused security consulting firm in Atlanta – Tony works with global Fortune 500 organizations seeking something beyond compliance-driven approaches to security challenges. With nearly 20 years of IT/ IS experience across three continents, Tony has hands-on operational and management experience. He is a co-author of the only risk-centric threat modeling methodology named PASTA (Process for Attack Simulation & Threat Analysis) and is an author with Wiley Life Sciences.
Tony also runs the OWASP Atlanta chapter and organizes the annual BSides Atlanta conferences. Tony’s last public speaking events include the likes of the AppSec USA, BSides ATL, Great Wide Open/ All Things Open Developer Conference, Cloud Connect, ISACA Information Security Risk Management, OWASP LanTAM, regional ISSA and ISACA events, and multiple OWASP global training and speaking events in Asia, Latin America, Europe, and North America.
