Cloud

3/7/2019
02:30 PM
Torsten George
Torsten George
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail vvv
50%
50%

Debunking 5 Myths About Zero Trust Security

Rather than "trust but verify," a zero trust model assumes that attackers will inevitably get in - if they aren't already. However, several misconceptions are impeding its adoption.

For years, the popular security maxim was "trust but verify." However, this mindset is no longer sufficient in today's borderless, global, mobile, cloud-based threatscape.

According to Gartner, organizations are expected to spend $137 billion in IT security and risk management in 2019, yet 66% of all companies experienced security breaches last year. You'd think with that much money invested in security, we'd be several steps ahead of the bad guys. But hardly a week goes by without news of the latest high-profile cyberattack.

Zero trust security is an antidote for outdated security strategies because it demands that organizations never trust and always verify. Every business must recognize that attackers exist inside and outside the network — and that perimeter-based security no longer provides protection against identity-based and credential-based intrusion, which are today's leading attack vectors. The solution now is to remove trust entirely from the equation by granting just enough privilege at just the right time.

However, several misconceptions are impeding zero trust adoption. Let's take a look at the top five and set the record straight.

Myth 1: The Path to Zero Trust Security Starts with Data Integrity
Rest assured, encrypting sensitive data and assuring its integrity remains a best practice. No one denies that. But how does that limit attackers from exfiltrating data if they've already secured privileged access, including to decryption keys?

Forrester estimates that 80% of data breaches are caused by misuse of privileged credentials. Privileged credentials provide greater scope for stealing data than individual accounts do, so it only takes one compromised credential to impact millions of people and cause a massive amount of damage. It's not surprising that Gartner recommends putting privileged access management (PAM) at the top of any list of security projects.

Until organizations start implementing identity-centric security measures, account compromise attacks will continue to provide a perfect camouflage for data breaches. Thus, the path to zero trust should always start with identity.

Myth 2: Zero Trust Is Only for Large Organizations
Google was one of the first companies to adopt the zero trust model. As a result, many people still think it is only for the largest organizations. But the reality is, no one is safe from a cyberattack. In fact, 61% of all data breaches affected small businesses, according to the "2018 Verizon Data Breach Investigations Report."

The good news is that zero trust security won't break the bank. Your company's size or budget should not be a deterrent because even the smallest business can get started with zero trust by taking a cost-effective, step-by-step approach. For example, many organizations can significantly harden their security posture with low-hanging fruit like a password vault or multifactor authentication. Spending a couple hundred dollars per system each year could be well worth it to avoid potential millions in fines, penalties, or brand damage.

Myth 3: I Need to Rip and Replace My Entire Network Security Environment
It's true that when Google first established its zero trust security architecture, it decided to rebuild its entire security network from the ground up. But this is not the case for most organizations.

Zero trust can simply involve an augmentation of security controls that already exist within your environment. For instance, you can start by deploying an "MFA everywhere" solution, which is not overly complex and can deliver tremendous value. This first step can go a long way toward establishing identity insurance and dramatically reducing your attack surface, putting your organization firmly on a path to zero trust.

Myth 4: Zero Trust Is Limited to On-Site Deployment
Many organizations think zero trust can only work on-premises and can't be applied to the public cloud. This becomes a concern when sensitive data resides outside the traditional network perimeter.

The fact of the matter is, zero trust can easily be extended to cloud environments, and it is increasingly important to do so as organizations across a broad range of industries move to hybrid, multicloud environments. Further, zero trust not only covers infrastructure, databases, and network devices, but it is extended to other attack surfaces that are increasingly becoming strategic requirements of modern organizations, including big data, DevOps, containers and more.

Myth 5: Zero Trust's Only Benefit Is It Will Minimize My Exposure to Risk
Risk mitigation is clearly a major benefit of zero trust, but it's definitely not the only one.

Forrester recently concluded that zero trust can reduce an organization's risk exposure by 37% or more. But it also found that organizations deploying zero trust can reduce security costs by 31% and realize millions of dollars in savings in their overall IT security budgets.

Zero trust can also lead to greater business confidence. The Forrester study found that organizations deploying zero trust are 66% more confident in adopting mobile work models and 44% more confident in securing DevOps environments. As a result, they are able to accelerate new business models and introduce new customer experiences with a greater sense of assurance and success.

The bottom line is that today's security is not secure. Rather than "trust but verify," a zero trust model assumes that attackers will inevitably get in — if they aren't already. With zero trust, you can minimize the attack surface, improve auditing and compliance visibility, and reduce complexity and cost.

Zero trust is truly the definitive approach to security for the modern hybrid enterprise. Remember: Never trust. Always verify. Enforce least privilege.

That's no myth.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Torsten George is a cybersecurity evangelist at Centrify. He also serves as strategic advisory board member at vulnerability risk management software vendor NopSec. He has more than 20 years of global information security experience and is a frequent speaker on ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Well, at least it isn't Mobby Dick!
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-9945
PUBLISHED: 2019-03-23
SoftNAS Cloud 4.2.0 and 4.2.1 allows remote command execution. The NGINX default configuration file has a check to verify the status of a user cookie. If not set, a user is redirected to the login page. An arbitrary value can be provided for this cookie to access the web interface without valid user...
CVE-2019-9942
PUBLISHED: 2019-03-23
A sandbox information disclosure exists in Twig before 1.38.0 and 2.x before 2.7.0 because, under some circumstances, it is possible to call the __toString() method on an object even if not allowed by the security policy in place.
CVE-2018-20165
PUBLISHED: 2019-03-22
Cross-site scripting (XSS) vulnerability in OpenText Portal 7.4.4 allows remote attackers to inject arbitrary web script or HTML via the vgnextoid parameter to a menuitem URI.
CVE-2019-1716
PUBLISHED: 2019-03-22
A vulnerability in the web-based management interface of Session Initiation Protocol (SIP) Software for Cisco IP Phone 7800 Series and Cisco IP Phone 8800 Series could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or execute arbitrary code. The vulnerability ...
CVE-2019-1763
PUBLISHED: 2019-03-22
A vulnerability in the web-based management interface of Session Initiation Protocol (SIP) Software for Cisco IP Phone 8800 Series could allow an unauthenticated, remote attacker to bypass authorization, access critical services, and cause a denial of service (DoS) condition. The vulnerability exist...