Zero trust has become a catchphrase in the cybersecurity sector, with all stakeholders fully accepting and going on all in. Adopting the next-generation security model has faced challenges due to confusion about what the term means. The rise of cyberattacks of all types, including ransomware, phishing, and business email compromise, indicates that something must change soon. Zero trust is a concept that seeks to create a shift in how organizations conceive and build their networks and IT infrastructure. The older model of conceiving networks and IT infrastructure entailed putting all computers, servers, and devices in an organization on the same network and trusting each other. For example, a work computer would access team documents on a shared server or connect to a printer on the floor. Antivirus and firewalls are configured to consider everything outside the organization as wrong. Everything inside the network is not scrutinized.
The explosion in cloud services, mobile devices, and remote work has radically challenged the old model. The old model was inherently flawed, with the lousy outside, good inside not as effective. Organizations are no longer physically able to control every device their employees use. The older model was always flawed since attackers would have the freedom and trust of the network once they had slipped through the defensive parameters.
To highlight the weaknesses of this older model, Google suffered a sophisticated state-sponsored attack eleven years ago against its corporate network. The hackers of Chinese origin and rampaged through Google’s networks stole data and code and created backdoors that they would use to get in after getting kicked out. The incident highlighted how networks were built that didn’t make sense. It called for going back to the drawing board to rethink the design of networks. The battlefield was overhauled, making it difficult for attackers. The new design ensured that nothing trusts each other within a network.
Zero trust demands that people using a network prove why they should be granted access. No more trusting of specific devices or connections that emanated from certain places. That means that people secured access into networks using corporate accounts with biometrics and hardware security keys in addition to using usernames and passwords. Attackers impersonating other users would have no easy task gaining access to the network. Even if an attacker gains access to the network, the need-to-know or need-to-access basis applies. Third-party contractors wouldn’t have to tie your corporate account to the billing platform.
Zero trust advocates emphasize that zero trust is not a piece of software that you can install or just a box to check. It is a philosophy, a mantra, a concept, and a mindset. Zero trust is never a magic bullet or marketing gimmick or buzzword.
Zero trust is a concept, not a simple action. You will be required to implement a set of measures, including device and software inventory, access control, and network segmentation. The confusion about the real meaning and purpose of zero trust has made it difficult for people to implement the idea.
The proponents of zero trust agree on the overall goals and purpose. However, IT administrators and executives with so many other things to worry about can be misled or take shortcuts in implementing network security simply reinforcing the older approaches. Additionally, the industry needs to embrace greater integrity and improved communication, especially with all the real threats and attacks facing organizations.
According to Paul Walsh, founder, and CEO of MetaCert, a zero-trust-based anti-phishing firm, the security industry has added bells and whistles such as AI and Machine Learning to the same old methodology. It remains traditional security and not zero trust no matter what you add.
Cloud service providers are best placed to ingrain zero trust into their platforms and offer their customers the training and help them introduce zero trust concepts into their organizations. Phil Venables, the chief information security officer of Google Cloud, reports that they spend a lot of time explaining to their clients what zero trust is and how it can be applied in their Google Cloud and elsewhere in their networks.
The other biggest obstacle to the widespread deployment of zero trust is that the network infrastructure in use was designed under the old model. Due to fundamental differences, the more aging network infrastructure offers no straightforward way to retrofit the newer zero trust concepts. The result is that implementing any zero trust ideas will potentially involve a significant investment and present a considerable inconvenience to re-design these legacy systems. That means zero trust projects are the least likely to be implemented by many organizations. Implementing zero trust may never happen in the federal government due to numerous legacy systems, an assortment of vendors, and the huge investments of time and money to overhaul the legacy systems. Government should focus on offering better security and improved user experience.
Security professionals’ ongoing efforts to hack organizations and discover their weaknesses to understand what it takes to break zero trust networks fully. For the most part, it is relatively easy to target segments of a targeted network that haven’t been upgraded with zero trust concepts.
Businesses and organizations that decide to move their infrastructure off-premises and into the cloud with a trusted zero trust vendor can tighten some traditional attack paths. In conclusion, zero trust is not the panacea in the security sector. The zero-trust concept will strengthen an organization’s network but doesn’t make the network bullet-proof. Misconfigurations may introduce weakness right from the onset of the transition to zero trust.
Author: Alessandro Civati
Blockchain ID: https://x88.life/1goaM4VpOu
