Redefining Zero Trust: Does Zero Really Mean Zero?

As long as there are users and devices connecting to network resources and data over the public internet or executing unknown code in a web ...
Redefining Zero Trust: Does Zero Really Mean Zero?

The concept of zero trust security has gained momentum, but the reality is that it is not truly ... [+] "zero" trust.

The concept of zero trust networks or zero trust security was developed in 2010 by John Kindervag—at the time a principal analyst with Forrester. The point of the initiative was to move away from granting blanket trust to users or devices in response to an increasingly complex ecosystem of connected devices and network connections. In the decade since zero trust was introduced, it has gained momentum and grown into its own market segment within the cybersecurity industry. The way it is commonly implemented, however, isn’t really “zero” trust. It is strictly limited or granular trust, but there is still trust and still potential for that trust to be exploited. What , though?

The basic model of cybersecurity is built on the model of Prevent, Detect, Remediate, and Predict. According to Amir Ben-Efraim, CEO of , though, the problem is that prevention is never perfect, detection is too late, damage is often already done by the time remediation is complete, and prediction of the next attack is just nonsense.

Companies put defensive measures like firewalls and antimalware in place to try and keep threats out in the first place, and use tools like intrusion detection to identify suspicious or malicious activity that has slipped through the cracks.  Remediation teams then work to remove whatever threat was able to gain a foothold or repair any damage. They then take steps to mitigate the next attack by trying to predict where the attacker may try to penetrate their defenses by applying any new lessons or information to hopefully improve prevention and detection for the next attack.

Ben-Efraim points out that preventing attacks relies on the assumption that you can outsmart the bad guys and stay one step ahead, while detect assumes that an organization will be able to recognize and respond to an attack quickly enough to avoid any damage. Given the fact that the average dwell time—the time an attacker is able to infiltrate and exist on an organization’s network before being detected—is measured in months, it’s safe to say that prevent and detect are not very effective in most cases.

One of the industry’s answer to this problem is zero trust, the practice of authenticating a user’s access to a resource that goes beyond traditional authentication. The problem with most implementations of zero trust is that they’re actually not zero—they’re granular trust. It is admittedly an improvement over the previous model, but the reality is that you’re still connecting users and devices to resources and information based on authentication and trust. Access is more limited, and access may be verified more frequently, but there is still trust granted on some level for some period of time. The difference between granular trust and true zero trust still leaves you exposed to exploit and compromise.

In most companies, a significant percentage of productivity occurs in email or through the web browser. It’s no coincidence that estimates suggest that email and web browsers are responsible for 90% of attacks. Organizations need to figure out how to effectively implement true zero trust for email and internet access.

As long as there are users and devices connecting to network resources and data over the public internet or executing unknown code in a web browser, organizations don’t really have zero trust and they’re still exposed to unnecessary risk.

The Defense Information Systems Agency (DISA) understands the internet is dangerous and they launched the initiative in an effort to eliminate web-based threats and the possibility of drive-by downloads. This an example of zero trust being applied to the internet by removing the browsing process from the desktop and moving it to the cloud effectively creating an “air gap” between the Internet and their network.  

Isolation is a simple concept that moves the needle towards absolute zero trust. An explains, “The platform works by taking a command to open a website and opening a virtual machine in the cloud. That virtual machine runs a new web browser created specifically for the requester, downloads the website and runs it in fully in the cloud.”

Companies need to think more broadly about zero trust and consider better ways to achieve zero trust even for email and the public internet. Menlo Security’s Ben-Efraim stressed that as a CISO or IT security manager, “I want to be able to say that I have achieved true zero trust using a solution that allows me to engage with the world through common channels without exposing any risk. It’s unfortunate that the industry is accepting a zero trust framework that purports to be an advancement but is really just more security that is just “almost safe.”

He added that “True zero trust, especially for the internet, on the other hand, does exist, and it is the perfect answer for eliminating malware, ransomware and zero day threats.”

Zero trust is a great concept in theory. It will be significantly better when organizations move away from granular security and implement tools and processes that enable zero to really mean zero.



source https://www.forbes.com/sites/tonybradley/2020/02/20/redefining-zero-trust-does-zero-really-mean-zero/

Post a Comment

0 Comments