Zero Trust has become an increasingly popular philosophy over the past few years; however, many misconceptions and misunderstandings have developed as the concept evolved. These misconceptions often lead to barriers when having conversations with corporate leadership and decision makers for getting appropriate support to establish Zero Trust as a security model for an enterprise.
Achieving top-down support is critical to the success of any security program, especially one that is relatively new and that few truly understand.
Taken from our Zero Trust: Debunking the Myths Report, which corrects 7 of the top misconceptions surrounding Zero Trust, below are 3 myths, debunked to provide an accurate view.
Myth #1: Zero Trust Is Only for Large Enterprises
Zero Trust was developed to address inconsistent and complex technology environments, regardless of size, industry, or business nature. The fundamental principles of Zero Trust, such as access controls, continuous user/endpoint validation are relevant to any size organization.
In fact, the ROI may be more apparent for small to medium size businesses because it helps to reduce complexity of security controls through optimization and the reduction of overlap.
Therefore, adopting Zero Trust principles can be beneficial to companies with limited resources and budget constraints, especially those organizations that maintain a significant cloud portfolio and seek to reduce the risks associated with unauthorized access, compromised credentials, etc.
Myth #2. Zero Trust Is a Technology Solution
Zero Trust is often mistakenly associated with a technology solution or product. Security solution providers largely created this sentiment. Almost all security providers maintain, to some extent (what they call), a “Zero Trust” product or products within their portfolio. Caution must be used as the race to Zero Trust has not only caused misconceptions due to strong marketing practices among solution providers, but products that are not truly developed to follow the core principles.
For example, some vendors build their Zero Trust portfolio based on acquisitions of other companies/technologies and others attempt to rebrand their products to reflect Zero Trust. Organizations seeking to establish a Zero Trust program should clearly define the meaning and the application of controls to protect their business, well before considering any Zero Trust products. As stated earlier, many organizations likely already have point solutions that contribute to Zero Trust practices.
These should be considered when assessing solution providers to ensure optimization and avoid potential overlap, which may lead to complexity. Technology solutions should be viewed as Zero Trust enablers, rather than products/services that can be purchased to establish a program, without definition.
In summary, design the solution around a Zero Trust program and not the reverse (a program around a solution). Aside from technology, Zero Trust also encompasses security policies and processes to promote an organizational culture of security. Zero Trust includes, but is not limited to, Identity and Access management (IAM), multi-factor authentication (MFA), network segmentation (macro/micro), encryption, behavioral analytics, backup/recovery, Network Access Control (NAC), Privilege Access Management (PAM), etc.
Myth #3. Zero Trust Guarantees Absolute Security
As many security practitioners can agree, no cybersecurity philosophy approach or concept guarantees absolute security. This applies to Zero Trust. The guiding principle of Zero Trust is to reduce both the risk of an incident occurring and the exposure to threats faced by an organization. Recall, the fundamental guiding principle of Zero Trust is to continuously verify all users, devices, and network traffic, regardless of their location or context.
It promotes the concept of "never trust, always verify", instead of historical approaches of “always trust, but verify”. It seeks to remove inherent trust within technology environments. By implementing Zero Trust, the attack surface, lateral movement, and systemic threats, such as ransomware and other insider threats, is significantly reduced. It helps decrease the dwell time of an attacker, that is, the length of time a threat actor persists within an organization undetected.
However, it's important to understand that Zero Trust is not a guaranteed security solution and should be part of a comprehensive and holistic security program. It does not deprecate the need to maintain a defense in-depth approach, where no single system is responsible for the security of an organization by itself.
The effectives of Zero Trust is largely based on how well it aligns with an organization’s risk profile and best practices of security controls. Metrics should be defined that monitor and report the performance of a Zero Trust program. These practices and controls must be continuously evolved and refined in a reasonable cadence to ensure appropriate response to emerging threats. Routine audits and a credible compliance program (not a check the box approach) can assist with this as it adds stability to a Zero Trust program so the control evolution remains consistent and repeatable.
4 More Myths!
These three myths are three of seven discussed in our report, ZERO TRUST: Debunking the Myths. The purpose of the report is to provide a comprehensive overview of the misconceptions that exist around Zero Trust, and to offer insight and guidance to help organizations better understand and implement this security framework. You will take away a clearer understanding of what Zero Trust is, what it is not, if it is possible to achieve an ideal Zero Trust model and how it can be effectively positioned to enhance their organization's security posture.
