Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

3/7/2019
02:30 PM
Torsten George
Torsten George
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail vvv
50%
50%

Debunking 5 Myths About Zero Trust Security

Rather than "trust but verify," a zero trust model assumes that attackers will inevitably get in - if they aren't already. However, several misconceptions are impeding its adoption.

For years, the popular security maxim was "trust but verify." However, this mindset is no longer sufficient in today's borderless, global, mobile, cloud-based threatscape.

According to Gartner, organizations are expected to spend $137 billion in IT security and risk management in 2019, yet 66% of all companies experienced security breaches last year. You'd think with that much money invested in security, we'd be several steps ahead of the bad guys. But hardly a week goes by without news of the latest high-profile cyberattack.

Zero trust security is an antidote for outdated security strategies because it demands that organizations never trust and always verify. Every business must recognize that attackers exist inside and outside the network — and that perimeter-based security no longer provides protection against identity-based and credential-based intrusion, which are today's leading attack vectors. The solution now is to remove trust entirely from the equation by granting just enough privilege at just the right time.

However, several misconceptions are impeding zero trust adoption. Let's take a look at the top five and set the record straight.

Myth 1: The Path to Zero Trust Security Starts with Data Integrity
Rest assured, encrypting sensitive data and assuring its integrity remains a best practice. No one denies that. But how does that limit attackers from exfiltrating data if they've already secured privileged access, including to decryption keys?

Forrester estimates that 80% of data breaches are caused by misuse of privileged credentials. Privileged credentials provide greater scope for stealing data than individual accounts do, so it only takes one compromised credential to impact millions of people and cause a massive amount of damage. It's not surprising that Gartner recommends putting privileged access management (PAM) at the top of any list of security projects.

Until organizations start implementing identity-centric security measures, account compromise attacks will continue to provide a perfect camouflage for data breaches. Thus, the path to zero trust should always start with identity.

Myth 2: Zero Trust Is Only for Large Organizations
Google was one of the first companies to adopt the zero trust model. As a result, many people still think it is only for the largest organizations. But the reality is, no one is safe from a cyberattack. In fact, 61% of all data breaches affected small businesses, according to the "2018 Verizon Data Breach Investigations Report."

The good news is that zero trust security won't break the bank. Your company's size or budget should not be a deterrent because even the smallest business can get started with zero trust by taking a cost-effective, step-by-step approach. For example, many organizations can significantly harden their security posture with low-hanging fruit like a password vault or multifactor authentication. Spending a couple hundred dollars per system each year could be well worth it to avoid potential millions in fines, penalties, or brand damage.

Myth 3: I Need to Rip and Replace My Entire Network Security Environment
It's true that when Google first established its zero trust security architecture, it decided to rebuild its entire security network from the ground up. But this is not the case for most organizations.

Zero trust can simply involve an augmentation of security controls that already exist within your environment. For instance, you can start by deploying an "MFA everywhere" solution, which is not overly complex and can deliver tremendous value. This first step can go a long way toward establishing identity insurance and dramatically reducing your attack surface, putting your organization firmly on a path to zero trust.

Myth 4: Zero Trust Is Limited to On-Site Deployment
Many organizations think zero trust can only work on-premises and can't be applied to the public cloud. This becomes a concern when sensitive data resides outside the traditional network perimeter.

The fact of the matter is, zero trust can easily be extended to cloud environments, and it is increasingly important to do so as organizations across a broad range of industries move to hybrid, multicloud environments. Further, zero trust not only covers infrastructure, databases, and network devices, but it is extended to other attack surfaces that are increasingly becoming strategic requirements of modern organizations, including big data, DevOps, containers and more.

Myth 5: Zero Trust's Only Benefit Is It Will Minimize My Exposure to Risk
Risk mitigation is clearly a major benefit of zero trust, but it's definitely not the only one.

Forrester recently concluded that zero trust can reduce an organization's risk exposure by 37% or more. But it also found that organizations deploying zero trust can reduce security costs by 31% and realize millions of dollars in savings in their overall IT security budgets.

Zero trust can also lead to greater business confidence. The Forrester study found that organizations deploying zero trust are 66% more confident in adopting mobile work models and 44% more confident in securing DevOps environments. As a result, they are able to accelerate new business models and introduce new customer experiences with a greater sense of assurance and success.

The bottom line is that today's security is not secure. Rather than "trust but verify," a zero trust model assumes that attackers will inevitably get in — if they aren't already. With zero trust, you can minimize the attack surface, improve auditing and compliance visibility, and reduce complexity and cost.

Zero trust is truly the definitive approach to security for the modern hybrid enterprise. Remember: Never trust. Always verify. Enforce least privilege.

That's no myth.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Torsten George is a cybersecurity evangelist at Centrify. He also serves as strategic advisory board member at vulnerability risk management software vendor NopSec. He has more than 20 years of global information security experience and is a frequent speaker on ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/1/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Well I dont run on MacOS, so I need to take extra precautions"
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13759
PUBLISHED: 2020-06-02
rust-vmm vm-memory before 0.1.1 and 0.2.x before 0.2.1 allows attackers to cause a denial of service (loss of IP networking) because read_obj and write_obj do not properly access memory. This affects aarch64 (with musl or glibc) and x86_64 (with musl).
CVE-2020-7662
PUBLISHED: 2020-06-02
websocket-extensions npm module prior to 1.0.4 allows Denial of Service (DoS) via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other characte...
CVE-2020-7663
PUBLISHED: 2020-06-02
websocket-extensions ruby module prior to 0.1.5 allows Denial of Service (DoS) via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other charact...
CVE-2020-12017
PUBLISHED: 2020-06-02
GE Grid Solutions Reason RT Clocks, RT430, RT431, and RT434, all firmware versions prior to 08A05. The device’s vulnerability in the web application could allow multiple unauthenticated attacks that could cause serious impact. The vulnerability may allow an unauthenticated attacke...
CVE-2018-18623
PUBLISHED: 2020-06-02
Grafana 5.3.1 has XSS via the "Dashboard > Text Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.