In the corporate environment, “zero trust” has undoubtedly been one of the hottest terms for some time now. As with so many other buzzwords in IT, however, there are a number of myths about it. Time to clean that up.
A study by the Cloud Security Alliance published earlier this year concludes that 80 percent of business executives give zero trust a medium to high priority. 77 percent want to work faster on this topic in the next 12 months. So zero trust networks seem to have struck a chord. However, as is often the case in the industry, there are a number of misconceptions associated with Zero Trust. Such misconceptions and myths quickly lead to expecting miracles from the approach. This was also the case with AI or the blockchain. Myths and inflated expectations are usually the result of solution providers’ convincingly written marketing materials that are not precise enough on the merits. So it seems time to do away with these misconceptions.
Myth 1: Zero Trust is a technology
Contrary to what marketing texts promise, Zero Trust is not a product or technology that companies can simply buy. So there is no license to purchase and the zero trust network is ready. Instead, it is a principle that drives architectures and security policies. In fact, this means that a company distrusts its own employees. When making data access decisions, zero trust means literally no trust. Access is only granted based on continuous, adaptive, and contextual decisions.
When an organization adopts a “zero trust” strategy, Secure Access Service Edge (SASE) forms the associated framework. And Security Service Edge (SSE) ultimately describes a product category whose solutions can be purchased. Access is then granted from insights into user behavior, identity, application risk, data and the device used. But that is just one component of such a strategy.
Myth 2: ZTNA is the goal and the solution
Zero trust is often prematurely associated solely with network access. In essence, however, there is more to it than that. Because in the age of hybrid working models and BYOD strategies, the zero trust idea should relate to the entire infrastructure. Zero Trust Network Access (ZTNA) is a good starting point for a Zero Trust strategy, but it should be more comprehensive.
- 1. In the first phase companies define the basis of zero trust. All access levels within the organization are classified, all applications are inventoried and databases are identified. It’s about nothing more than reaching a state in which anonymous access to any resource is not possible. Lateral movements in the network are restricted, applications are hidden from port scanners or fingerprinting and SSO is enhanced with multi-factor authentication.
- 2. In the second phase the access control can be supplemented adaptively. Signals from applications and users are evaluated and adaptive guidelines are issued, which then require additional authentication, for example. At this stage, organizations need to learn and implement how to contextualize access policies to allow access based on certain conditions. If it is an internally managed device that only has read access to a local application, the risk must be assessed differently than with remote access by users who want to delete content.
- 3. phase three dedicated to protecting high-risk targets and utilizing explicit trust controls. For example, on-demand isolation, which is isolation that automatically inserts itself when the risk is high, limits the radius of action of vulnerable users and dangerous or risky websites.
- 4. The fourth phase eliminates “excess” trust by consistently pursuing a policy of least privilege. The movement of sensitive data within the network is tracked and data leakage is prevented as far as possible. This is also practiced data protection.
- 5. The fifth phase finally, the guidelines are continuously refined. Real-time analytics are essential for this. Access is tightened based on user trends, access anomalies, or application changes.
Myth 3: Zero trust is purely a security issue
One of the biggest misconceptions about Zero Trust is that it is understood as a purely security issue. The strategy may be initiated by security teams, and improving security in an organization is also likely to be the main driver behind the adoption of Zero Trust. However, the strategy goes far beyond the aspect of security. Because this path can also pave the way for more business agility. When properly designed and implemented, Zero Trust initiatives help CIOs consolidate vendors and solutions, improve visibility into service integration, and thereby increase operational efficiencies.
Because, as mentioned in the strategy execution phases, all deployed applications, network access, data storage and devices are considered, Zero Trust initiatives extend across security, cloud and network teams. This can be used as a catalyst for more cross-functional collaboration.
Successfully implemented, the principles of Zero Trust create a security posture that offers companies many advantages:
- The geographical location of users and data are no longer limiting factors, making companies more flexible when choosing locations.
- It becomes easier for business teams to onboard new partners and explore new business models without increasing the company’s risk profile.
- It is becoming easier to test new digital solutions to achieve productivity gains without having to spend months adapting new security policies and security systems.
So zero trust is much more than just a fashionable buzzword and it has a positive effect beyond the pure security aspect. Unfortunately, it is not a product that companies can simply buy. And companies must also find and follow the path to the goal just as individually.
As of 10/30/2020
It goes without saying that we handle your personal data responsibly. If we collect personal data from you, we process it in compliance with the applicable data protection regulations. You can find detailed information in our data protection declaration.
Consent to the use of data for advertising purposes
I agree that Vogel IT-Medien GmbH, Max-Josef-Metzger-Straße 21, 86157 Augsburg, including all companies affiliated with it within the meaning of Sections 15 et seq. AktG (hereinafter: Vogel Communications Group) my E e-mail address for sending editorial newsletters. Lists of the respective associated companies can be accessed here.
The content of the newsletter extends to the products and services of all the companies mentioned above, including, for example, trade journals and specialist books, events and trade fairs as well as event-related products and services, print and digital media offers and services such as other (editorial) newsletters, competitions, lead campaigns, Market research in the online and offline area, subject-specific web portals and e-learning offers. If my personal telephone number was also collected, it may be used for submitting offers for the aforementioned products and services from the aforementioned companies and for market research.
If I call up protected content on the Vogel Communications Group portals, including its affiliated companies within the meaning of §§ 15 ff. AktG, I have to register with additional data for access to this content. In return for this free access to editorial content, my data may be used in accordance with this consent for the purposes stated here.
right of revocation
I am aware that I can revoke this consent at any time for the future. My revocation does not affect the legality of the processing carried out on the basis of my consent up to the time of revocation. In order to declare my revocation, I can use the contact form available at as one option. If I no longer wish to receive individual newsletters to which I have subscribed, I can also click on the unsubscribe link at the end of a newsletter. I can find more information about my right of withdrawal and how to exercise it, as well as the consequences of my withdrawal, in the data protection declaration, section Editorial newsletters.