Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

3/7/2019
02:30 PM
Torsten George
Torsten George
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail vvv
50%
50%

Debunking 5 Myths About Zero Trust Security

Rather than "trust but verify," a zero trust model assumes that attackers will inevitably get in - if they aren't already. However, several misconceptions are impeding its adoption.

For years, the popular security maxim was "trust but verify." However, this mindset is no longer sufficient in today's borderless, global, mobile, cloud-based threatscape.

According to Gartner, organizations are expected to spend $137 billion in IT security and risk management in 2019, yet 66% of all companies experienced security breaches last year. You'd think with that much money invested in security, we'd be several steps ahead of the bad guys. But hardly a week goes by without news of the latest high-profile cyberattack.

Zero trust security is an antidote for outdated security strategies because it demands that organizations never trust and always verify. Every business must recognize that attackers exist inside and outside the network — and that perimeter-based security no longer provides protection against identity-based and credential-based intrusion, which are today's leading attack vectors. The solution now is to remove trust entirely from the equation by granting just enough privilege at just the right time.

However, several misconceptions are impeding zero trust adoption. Let's take a look at the top five and set the record straight.

Myth 1: The Path to Zero Trust Security Starts with Data Integrity
Rest assured, encrypting sensitive data and assuring its integrity remains a best practice. No one denies that. But how does that limit attackers from exfiltrating data if they've already secured privileged access, including to decryption keys?

Forrester estimates that 80% of data breaches are caused by misuse of privileged credentials. Privileged credentials provide greater scope for stealing data than individual accounts do, so it only takes one compromised credential to impact millions of people and cause a massive amount of damage. It's not surprising that Gartner recommends putting privileged access management (PAM) at the top of any list of security projects.

Until organizations start implementing identity-centric security measures, account compromise attacks will continue to provide a perfect camouflage for data breaches. Thus, the path to zero trust should always start with identity.

Myth 2: Zero Trust Is Only for Large Organizations
Google was one of the first companies to adopt the zero trust model. As a result, many people still think it is only for the largest organizations. But the reality is, no one is safe from a cyberattack. In fact, 61% of all data breaches affected small businesses, according to the "2018 Verizon Data Breach Investigations Report."

The good news is that zero trust security won't break the bank. Your company's size or budget should not be a deterrent because even the smallest business can get started with zero trust by taking a cost-effective, step-by-step approach. For example, many organizations can significantly harden their security posture with low-hanging fruit like a password vault or multifactor authentication. Spending a couple hundred dollars per system each year could be well worth it to avoid potential millions in fines, penalties, or brand damage.

Myth 3: I Need to Rip and Replace My Entire Network Security Environment
It's true that when Google first established its zero trust security architecture, it decided to rebuild its entire security network from the ground up. But this is not the case for most organizations.

Zero trust can simply involve an augmentation of security controls that already exist within your environment. For instance, you can start by deploying an "MFA everywhere" solution, which is not overly complex and can deliver tremendous value. This first step can go a long way toward establishing identity insurance and dramatically reducing your attack surface, putting your organization firmly on a path to zero trust.

Myth 4: Zero Trust Is Limited to On-Site Deployment
Many organizations think zero trust can only work on-premises and can't be applied to the public cloud. This becomes a concern when sensitive data resides outside the traditional network perimeter.

The fact of the matter is, zero trust can easily be extended to cloud environments, and it is increasingly important to do so as organizations across a broad range of industries move to hybrid, multicloud environments. Further, zero trust not only covers infrastructure, databases, and network devices, but it is extended to other attack surfaces that are increasingly becoming strategic requirements of modern organizations, including big data, DevOps, containers and more.

Myth 5: Zero Trust's Only Benefit Is It Will Minimize My Exposure to Risk
Risk mitigation is clearly a major benefit of zero trust, but it's definitely not the only one.

Forrester recently concluded that zero trust can reduce an organization's risk exposure by 37% or more. But it also found that organizations deploying zero trust can reduce security costs by 31% and realize millions of dollars in savings in their overall IT security budgets.

Zero trust can also lead to greater business confidence. The Forrester study found that organizations deploying zero trust are 66% more confident in adopting mobile work models and 44% more confident in securing DevOps environments. As a result, they are able to accelerate new business models and introduce new customer experiences with a greater sense of assurance and success.

The bottom line is that today's security is not secure. Rather than "trust but verify," a zero trust model assumes that attackers will inevitably get in — if they aren't already. With zero trust, you can minimize the attack surface, improve auditing and compliance visibility, and reduce complexity and cost.

Zero trust is truly the definitive approach to security for the modern hybrid enterprise. Remember: Never trust. Always verify. Enforce least privilege.

That's no myth.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Torsten George is a cybersecurity evangelist at Centrify. He also serves as strategic advisory board member at vulnerability risk management software vendor NopSec. He has more than 20 years of global information security experience and is a frequent speaker on ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: -when I told you that our cyber-defense was from another age
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-1817
PUBLISHED: 2019-11-20
MediaWiki before 1.19.4 and 1.20.x before 1.20.3 contains an error in the api.php script which allows remote attackers to obtain sensitive information.
CVE-2013-2091
PUBLISHED: 2019-11-20
SQL injection vulnerability in Dolibarr ERP/CRM 3.3.1 allows remote attackers to execute arbitrary SQL commands via the 'pays' parameter in fiche.php.
CVE-2012-1257
PUBLISHED: 2019-11-20
Pidgin 2.10.0 uses DBUS for certain cleartext communication, which allows local users to obtain sensitive information via a dbus session monitor.
CVE-2013-1816
PUBLISHED: 2019-11-20
MediaWiki before 1.19.4 and 1.20.x before 1.20.3 allows remote attackers to cause a denial of service (application crash) by sending a specially crafted request.
CVE-2011-4455
PUBLISHED: 2019-11-20
Multiple cross-site scripting vulnerabilities in Tiki 7.2 and earlier allow remote attackers to inject arbitrary web script or HTML via the path info to (1) tiki-admin_system.php, (2) tiki-pagehistory.php, (3) tiki-removepage.php, or (4) tiki-rename_page.php.