Why zero trust doesn’t mean zero threats

Traditional approaches to cybersecurity aren’t working anymore, and here’s why.

We live in a world of smart homes and remote work, a world of sprawling digital supply chains and complex partner ecosystems. Traditional security controls were created in a different time for a different world. They are archaic, trust-based systems reliant on a security perimeter that no longer exists. 

Zero trust has emerged as a touchstone of this new world, a worthy replacement for the old ways of network security. Unfortunately, as is often the case with buzzworthy concepts and ideas, there’s no shortage of myths and misconceptions. 

One of the most prevalent is that idea that zero trust is some sort of magic bullet, the answer to all your cybersecurity challenges.

To better understand why that’s not the case, it’s important to first understand the origins of zero trust — along with its shortcomings.

 

Leaving the Perimeter in the Past

Traditional cybersecurity is predicated on the existence of a clearly-defined network perimeter. Under this security model, an organization has total control over everything within its digital walls. Those on the inside can access business assets and resources, while those on the outside cannot.

Even in its earliest days, this approach was imperfect and ill-suited to deal with telecommuting. Supporting remote staff typically required the deployment of complex virtual desktops and virtual private networks, both of which came with their own security risks and integration challenges. At the time, however, remote work was enough of a rarity that this was a non-issue. 

Then the world changed. 

It started with cloud computing and mobile devices. Where there was once a clear division between internal and external, these two interrelated technologies blurred those lines. Attack surfaces, once static and clearly defined, had started to become mercurial and nebulous.  

Amidst this evolution, legacy methods of remote network access started to show their age from both security and a usability standpoint. Many of these tools treated remote users as though they were part of the corporate network, opening the door to all manner of threats. To make matters worse, legacy network access solutions suffered from frequent usability shortfalls.
Outdated software was not the only issue, either. Trusting every entity on one’s network — regardless of how or from where those entities gained access — was a clear recipe for disaster. All it would take for a breach was a single error in judgment on the part of a supplier, vendor, partner, or employee. 

All a threat actor needed to do was get onto a business’s network, and they had the figurative keys to the kingdom. 

The pandemic was the final nail in the coffin. As businesses around the world transitioned to distributed work, they could no longer ignore the shortcomings of legacy security. They needed a new approach. 

Zero trust, a concept first introduced by analyst Forrester in 2010, proved a perfect fit.

 

Never Trust, Always Verify

The core ideas behind zero trust are relatively simple: 

  • An entity on a network, whether a user, a device, or an application, must submit to authentication before they’re granted access. 
  • The business must also continuously validate that an entity is who (or what) it claims to be. 
  • Entities may only be granted access to resources they absolutely need and nothing more, an approach known as least privilege. 
  • Access controls should, at the minimum, include multi factor authentication. 
  • Access must be as streamlined as possible without compromising on security. 

It’s easy to see why so many have held up zero trust as some sort of golden ticket. On the surface, it appears to be an easy and relatively painless means of protecting an organization against an ever-changing threat landscape. But it’s not perfect.

Nor is it impenetrable.

 

Threats Still Find A Way

Threat actors aren’t blind. They recognize zero trust as an obstacle, and they also know how to circumvent it. After all, if a door is locked, you don’t try to kick it down — you look for a window, instead. 

According to analyst Gartner, more than half of all cyberattacks over the next three years will target areas that zero trust can neither cover nor mitigate. These may include, but are certainly not limited to: 

  • Social engineering such as phishing, or business email compromise attacks. 
  • Exploiting vulnerable APIs.
  • Exploiting insecure employee workarounds. 
  • MFA fatigue attacks, where an attacker spams a user with so many access requests that they eventually approve one. 
  • Credential/token theft via man in the middle attacks. 
  • One-time password interception bots

Make no mistake, zero trust is still essential. But it’s not a panacea. It has weaknesses and blind spots.

That’s why, rather than viewing it as the be-all and end-all of cybersecurity, you should employ it the way it was intended — as one component of a mature security strategy.

 

Covering the Blind Spots of Zero Trust

So how can your organization address the weaknesses in a zero trust framework?  What can you do to cover your bases so you’re as secure and resilient as possible? 

  • Attack Surface Management: Knowledge is your most powerful weapon against cybercriminals. That starts with knowing your ecosystem, ensuring you have full visibility into every user, device, and entity within your digital supply chain. 
  • Threat Intelligence: Again, knowledge is power. Through internal, external, and third-party data, you can gain a more complete picture of who your adversaries are, what they want, and how to stop them. We’d also advise implementing a threat hunting program alongside threat intelligence. 
  • Endpoint Security:  An endpoint detection and response or extended detection and response platform is fast becoming non-negotiable, empowering you with the capacity to stop threats at the endpoint. 
  • Antimalware: A non signature-based antivirus solution is also critical, particularly with the increasing prominence of sophisticated ransomware.  
  • Behavioral Analytics: Everyone has certain habits and tendencies with how they use technology. A behavioral analytics solution will allow you to identify any deviation from that, potentially allowing you to proactively mitigate an attack. 
  • Security Awareness Training: Social engineering relies in equal parts on ignorance and carelessness. Education offers a means of addressing both.

 

Not a Magic Bullet, But Still an Important Tool

Zero trust isn’t a perfect solution, but it’s still an essential component of any effective cybersecurity strategy. 

Zero trust combined with least privilege greatly reduces risk. At the end of the day, risk reduction means little if your organization is rife with other vulnerabilities. 

Are you looking to explore zero trust for your organization? Book a discovery call with the IAM team today and see where you stand.

Interested in learning more about Agile Development for IAM Solutions? Download our eBook today!