Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

3/7/2019
02:30 PM
Torsten George
Torsten George
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Debunking 5 Myths About Zero Trust Security

Rather than "trust but verify," a zero trust model assumes that attackers will inevitably get in - if they aren't already. However, several misconceptions are impeding its adoption.

For years, the popular security maxim was "trust but verify." However, this mindset is no longer sufficient in today's borderless, global, mobile, cloud-based threatscape.

According to Gartner, organizations are expected to spend $137 billion in IT security and risk management in 2019, yet 66% of all companies experienced security breaches last year. You'd think with that much money invested in security, we'd be several steps ahead of the bad guys. But hardly a week goes by without news of the latest high-profile cyberattack.

Zero trust security is an antidote for outdated security strategies because it demands that organizations never trust and always verify. Every business must recognize that attackers exist inside and outside the network — and that perimeter-based security no longer provides protection against identity-based and credential-based intrusion, which are today's leading attack vectors. The solution now is to remove trust entirely from the equation by granting just enough privilege at just the right time.

However, several misconceptions are impeding zero trust adoption. Let's take a look at the top five and set the record straight.

Myth 1: The Path to Zero Trust Security Starts with Data Integrity
Rest assured, encrypting sensitive data and assuring its integrity remains a best practice. No one denies that. But how does that limit attackers from exfiltrating data if they've already secured privileged access, including to decryption keys?

Forrester estimates that 80% of data breaches are caused by misuse of privileged credentials. Privileged credentials provide greater scope for stealing data than individual accounts do, so it only takes one compromised credential to impact millions of people and cause a massive amount of damage. It's not surprising that Gartner recommends putting privileged access management (PAM) at the top of any list of security projects.

Until organizations start implementing identity-centric security measures, account compromise attacks will continue to provide a perfect camouflage for data breaches. Thus, the path to zero trust should always start with identity.

Myth 2: Zero Trust Is Only for Large Organizations
Google was one of the first companies to adopt the zero trust model. As a result, many people still think it is only for the largest organizations. But the reality is, no one is safe from a cyberattack. In fact, 61% of all data breaches affected small businesses, according to the "2018 Verizon Data Breach Investigations Report."

The good news is that zero trust security won't break the bank. Your company's size or budget should not be a deterrent because even the smallest business can get started with zero trust by taking a cost-effective, step-by-step approach. For example, many organizations can significantly harden their security posture with low-hanging fruit like a password vault or multifactor authentication. Spending a couple hundred dollars per system each year could be well worth it to avoid potential millions in fines, penalties, or brand damage.

Myth 3: I Need to Rip and Replace My Entire Network Security Environment
It's true that when Google first established its zero trust security architecture, it decided to rebuild its entire security network from the ground up. But this is not the case for most organizations.

Zero trust can simply involve an augmentation of security controls that already exist within your environment. For instance, you can start by deploying an "MFA everywhere" solution, which is not overly complex and can deliver tremendous value. This first step can go a long way toward establishing identity insurance and dramatically reducing your attack surface, putting your organization firmly on a path to zero trust.

Myth 4: Zero Trust Is Limited to On-Site Deployment
Many organizations think zero trust can only work on-premises and can't be applied to the public cloud. This becomes a concern when sensitive data resides outside the traditional network perimeter.

The fact of the matter is, zero trust can easily be extended to cloud environments, and it is increasingly important to do so as organizations across a broad range of industries move to hybrid, multicloud environments. Further, zero trust not only covers infrastructure, databases, and network devices, but it is extended to other attack surfaces that are increasingly becoming strategic requirements of modern organizations, including big data, DevOps, containers and more.

Myth 5: Zero Trust's Only Benefit Is It Will Minimize My Exposure to Risk
Risk mitigation is clearly a major benefit of zero trust, but it's definitely not the only one.

Forrester recently concluded that zero trust can reduce an organization's risk exposure by 37% or more. But it also found that organizations deploying zero trust can reduce security costs by 31% and realize millions of dollars in savings in their overall IT security budgets.

Zero trust can also lead to greater business confidence. The Forrester study found that organizations deploying zero trust are 66% more confident in adopting mobile work models and 44% more confident in securing DevOps environments. As a result, they are able to accelerate new business models and introduce new customer experiences with a greater sense of assurance and success.

The bottom line is that today's security is not secure. Rather than "trust but verify," a zero trust model assumes that attackers will inevitably get in — if they aren't already. With zero trust, you can minimize the attack surface, improve auditing and compliance visibility, and reduce complexity and cost.

Zero trust is truly the definitive approach to security for the modern hybrid enterprise. Remember: Never trust. Always verify. Enforce least privilege.

That's no myth.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Torsten George is a cybersecurity evangelist at Centrify. He also serves as strategic advisory board member at vulnerability risk management software vendor NopSec. He has more than 20 years of global information security experience and is a frequent speaker on ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/5/2020
How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
Cybersecurity Spending Hits 'Temporary Pause' Amid Pandemic
Kelly Jackson Higgins, Executive Editor at Dark Reading,  6/2/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13871
PUBLISHED: 2020-06-06
SQLite 3.32.2 has a use-after-free in resetAccumulator in select.c because the parse tree rewrite for window functions is too late.
CVE-2020-13864
PUBLISHED: 2020-06-05
The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from a stored XSS vulnerability. An author user can create posts that result in a stored XSS by using a crafted payload in custom links.
CVE-2020-13865
PUBLISHED: 2020-06-05
The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from multiple stored XSS vulnerabilities. An author user can create posts that result in stored XSS vulnerabilities, by using a crafted link in the custom URL or by applying custom attributes.
CVE-2020-11696
PUBLISHED: 2020-06-05
In Combodo iTop a menu shortcut name can be exploited with a stored XSS payload. This is fixed in all iTop packages (community, essential, professional) in version 2.7.0 and iTop essential and iTop professional in version 2.6.4.
CVE-2020-11697
PUBLISHED: 2020-06-05
In Combodo iTop, dashboard ids can be exploited with a reflective XSS payload. This is fixed in all iTop packages (community, essential, professional) for version 2.7.0 and in iTop essential and iTop professional packages for version 2.6.4.