The move to a pathway that leads to the Zero Trust model of security is the latest trend in cyber security.
Year after year, thousands of businesses are hacked and billions of data records are stolen by cyber thieves. This can lead to business closures in extreme cases as well as the loss of confidence in the security of governments, banks and corporations up to and including countries’ national elections.
Under post-mortem investigations, often these breaches aren’t sophisticated. Instead, what they do is exploit stolen, weak or compromised credentials. Our trust in identities is being used against us. To address these issues, the use of a Zero Trust model is gaining industry momentum recently. According to IDG’s 2019 Security Priorities Survey, 38% of security and IT decision-makers anticipate their spending in security awareness and evaluations to increase over the next year. 71% of security-focused IT decision-makers are familiar with the Zero Trust model. 47% of organizations are actively researching Zero Trust technologies.
The Zero Trust model which was introduced in 2010 by Forrester Research working together with the National Institute of Standards and Technology (NIST), isn’t a new concept. Forrester analyst John Kindervag found through research that inherent trust assumptions in security measures can leave businesses vulnerable to internal and external cyber-attacks. Zero Trust is a security concept based on the belief that businesses shouldn’t inherently trust anyone outside their perimeters or inside their systems. With this thinking, security managers should verify all the requests to connect to their systems before granting access to them.
Originally, the concept of Zero Trust was a data-centric network design that used micro-segmentation to enforce more granular rules to limit lateral movement by cyber attackers. Since its beginning, the Zero Trust concept and its benefits have significantly evolved. Currently, Zero Trust is being implemented by companies to drive strategic security initiatives as well as to enable business decision-makers including IT managers to apply pragmatic detection, prevention and response measures.
The Zero Trust model’s biggest evolution has been reported by Dr. Chase Cunningham, a Forrester Research analyst, in the Zero Trust eXtended (ZTX) Ecosystem report extending the original model beyond just a network focus to include the ever-growing attack surface and the following associated processes and elements:
Once you apply security controls to all the above-mentioned elements, you are on a pathway to Zero Trust. However, the driving principle must be the realization and knowledge that the easiest way for any cyber attackers to reach sensitive data is by compromising one or more user’s identities. Problems increase if the stolen user identity is one that belongs to someone who is a privileged user with broad access to your network. Believe it or not, 80% of security breaches are through privileged credentials.
Limiting a business’s cyber risk exposure to the top cause of current data breaches, privileged access abuse, can be done beginning with these actions:
By moving traditional perimeter-based security strategies to a Zero Trust approach, you will provide more robust detection, prevention and incident response capability to continuously protect expanding attack surfaces which include big data lakes, cloud, DevOps, microservices and containers. Using this pathway allows businesses to defend themselves against advanced cybersecurity threats while limiting the impact of any breaches. It also supports new operational and business models, and enables necessary compliance (HIPAA, PCI).