Dispel three zero trust myths

In the corporate environment, “zero trust” has undoubtedly been one of the hottest terms for some time now. As with so many other buzzwords in IT, however, there are a number of myths about it. Time to clean that up.

A study by the Cloud Security Alliance published earlier this year concludes that 80 percent of business executives give zero trust a medium to high priority. 77 percent want to work faster on this topic in the next 12 months. So zero trust networks seem to have struck a chord. However, as is often the case in the industry, there are a number of misconceptions associated with Zero Trust. Such misconceptions and myths quickly lead to expecting miracles from the approach. This was also the case with AI or the blockchain. Myths and inflated expectations are usually the result of solution providers’ convincingly written marketing materials that are not precise enough on the merits. So it seems time to do away with these misconceptions.

Myth 1: Zero Trust is a technology

Contrary to what marketing texts promise, Zero Trust is not a product or technology that companies can simply buy. So there is no license to purchase and the zero trust network is ready. Instead, it is a principle that drives architectures and security policies. In fact, this means that a company distrusts its own employees. When making data access decisions, zero trust means literally no trust. Access is only granted based on continuous, adaptive, and contextual decisions.

When an organization adopts a “zero trust” strategy, Secure Access Service Edge (SASE) forms the associated framework. And Security Service Edge (SSE) ultimately describes a product category whose solutions can be purchased. Access is then granted from insights into user behavior, identity, application risk, data and the device used. But that is just one component of such a strategy.

READ:  What is Information Security?

Myth 2: ZTNA is the goal and the solution

Zero trust is often prematurely associated solely with network access. In essence, however, there is more to it than that. Because in the age of hybrid working models and BYOD strategies, the zero trust idea should relate to the entire infrastructure. Zero Trust Network Access (ZTNA) is a good starting point for a Zero Trust strategy, but it should be more comprehensive.

  • 1. In the first phase companies define the basis of zero trust. All access levels within the organization are classified, all applications are inventoried and databases are identified. It’s about nothing more than reaching a state in which anonymous access to any resource is not possible. Lateral movements in the network are restricted, applications are hidden from port scanners or fingerprinting and SSO is enhanced with multi-factor authentication.
  • 2. In the second phase the access control can be supplemented adaptively. Signals from applications and users are evaluated and adaptive guidelines are issued, which then require additional authentication, for example. At this stage, organizations need to learn and implement how to contextualize access policies to allow access based on certain conditions. If it is an internally managed device that only has read access to a local application, the risk must be assessed differently than with remote access by users who want to delete content.
  • 3. phase three dedicated to protecting high-risk targets and utilizing explicit trust controls. For example, on-demand isolation, which is isolation that automatically inserts itself when the risk is high, limits the radius of action of vulnerable users and dangerous or risky websites.
  • 4. The fourth phase eliminates “excess” trust by consistently pursuing a policy of least privilege. The movement of sensitive data within the network is tracked and data leakage is prevented as far as possible. This is also practiced data protection.
  • 5. The fifth phase finally, the guidelines are continuously refined. Real-time analytics are essential for this. Access is tightened based on user trends, access anomalies, or application changes.
READ:  Different Ways People Can Steal Your Information

Myth 3: Zero trust is purely a security issue

One of the biggest misconceptions about Zero Trust is that it is understood as a purely security issue. The strategy may be initiated by security teams, and improving security in an organization is also likely to be the main driver behind the adoption of Zero Trust. However, the strategy goes far beyond the aspect of security. Because this path can also pave the way for more business agility. When properly designed and implemented, Zero Trust initiatives help CIOs consolidate vendors and solutions, improve visibility into service integration, and thereby increase operational efficiencies.

Because, as mentioned in the strategy execution phases, all deployed applications, network access, data storage and devices are considered, Zero Trust initiatives extend across security, cloud and network teams. This can be used as a catalyst for more cross-functional collaboration.

Successfully implemented, the principles of Zero Trust create a security posture that offers companies many advantages:

  • The geographical location of users and data are no longer limiting factors, making companies more flexible when choosing locations.
  • It becomes easier for business teams to onboard new partners and explore new business models without increasing the company’s risk profile.
  • It is becoming easier to test new digital solutions to achieve productivity gains without having to spend months adapting new security policies and security systems.

So zero trust is much more than just a fashionable buzzword and it has a positive effect beyond the pure security aspect. Unfortunately, it is not a product that companies can simply buy. And companies must also find and follow the path to the goal just as individually.