3 minute read
To Get Started With Zero Trust, Do Not Start With a Vendor
How has the Zero Trust Network Architecture evolved since it was first coined in 2010?
When the term Zero Trust Network Architectures was coined in 2010, the tools, concepts, and implementations seemed excessive for the threats at the time. In the past decade, threat actors have evolved their attack vectors from vulnerabilities to identities and the need to protect assets, resources, and data has increased due to the continued development of technology. In addition, as a work from anywhere world has truly become a reality since the pandemic, traditional security models that rely on a perimeter defense have become grossly inadequate for the challenges ahead.
Advertisement
Do you believe that technologies that support zero trust are moving into the mainstream?
In this security professional’s opinion, I do believe technologies that support zero trust are moving into mainstream. However, products themselves are not zero trust. They may be deployed using models that support zero trust network architectures but they must be implemented and operated with the principles of zero trust in order to achieve the desired goals.
Cyber security vendors that offer zero trust solutions are using clever marketing terminology to achieve this goal but in reality, no product enables zero trust on its own. This is a nuance that security professionals and executives in organization must be fully aware of. If an analogy is needed to describe this marketing exercise, would you purchase a car that is advertised as “fully self driving”?
Do you believe that enterprise IT departments today require a new way of thinking because the castle itself no longer exists in isolation as it once did?
I do believe organizations should consider a new way of thinking if castle and moat security architectures of the past are a potential risk. I should highlight “consider” because zero trust does not apply to every organization. Why? Organizations, governments, military, etc that rely on air gapped networks, that are geographically inaccessible outside of a very specific location, can benefit from zero trust, but it is not a necessity.
Legacy perimeter based defenses are still applicable against cyber attacks but if the assets within communicate with the internet, users response to email, or allow remote access, then need is paramount to reconsider.
Only true air gapped networks do not necessarily need to adopt zero trust but in today’s modern world, these environments are becoming far fewer then the past. Therefore, everyone should consider zero trust but not everyone may really need it.
How can companies get started with zero trust?
For organizations that want to get started with zero trust, do not start with a vendor. The best place to start is with theory from NIST and leading analysts in the industry. Once the concepts are understood, and how they can apply to your organization, then consider speaking with vendors.
Zero trust is one cyber security concept where vendors are misleading organizations to sell product but, they all may not be the proper fit and in some cases, you may already have the tooling to perform zero trust. Modernizing workflows and processes may be all that is needed to close the gap verses licensing a solution.
Industry experts have warned that cyber-attacks will be focused on techniques that zero trust controls can’t mitigate. What according to you can be done to address this?
While some industry experts have warned about attack vectors that zero trust can’t mitigate, I would recommend to everyone that zero trust is just a security model to be applied to existing security controls.
Organizations must continue investing in cyber security basics like vulnerability, patch, configuration, log, anti-malware, and privileged management in order to protect assets, resources, and data, just as before. Zero trust does not replace existing security controls — it is a layer above that makes these solutions better and when done correctly, will greatly reduce many false positives in them.
What according to you are the limitations of zero trust?
I talk about this in Chapter 22 of my book “Privileged Attack Vectors” from Apress Media. Quoting from the book, “Zero Trust has been developed in response to industry trends that include remote users and cloud-based assets that are not located within a traditional enterprise perimeter. It focuses on protecting resources, not logical network segments, as network segmentation is no longer seen as the prime component to the security posture of the resource. This in itself begins the discussion of why Zero Trust may not be for everyone and may not be compatible with existing systems leveraging PAM. Many times a hybrid approach is needed the borrows some characteristics from zero trust but does not constitute a true zero trust architecture."
Therefore, a few obstacles that are the most common considering Forrester’s and NIST’s models include technical debt, legacy systems, peer-to-peer technologies, and digital transformation
