Zero trust cyber security: what is it and is it right for your organisation?

The global zero trust market is projected to reach a whopping $52 billion by 2026 (CNBC). This market has seen a steep increase in adoption due to a shift to multilocation remote working but is it more of a hinderance than it is a benefit? Does the zero trust model belong in cybersecurity frameworks or is it a misguided solution for a problem that does not exist? 

Research firm Markets and Markets, projects that the global zero trust market will grow from $19.6 billion in 2020 to $51.6 billion by 2026! 

Over the last few years, due to an increased frequency in target-based attacks and cloud hacks, companies are looking to regulate their employees’ behaviours rather than develop them into something new. As a result, increased internal regulations have been implemented for information security purposes.  

Unfortunately, many advocates of the zero trust model fail to accept one thing: most breaches are not happening because individuals are maliciously accessing data and accounts to compromise them. In fact, most breaches occur because users are not aware of the right way to handle data and are making human errors.  

Why adopt a model that snips the wings off every employee because an organisation has not done its due diligence in educating employees on how to operate both internally and externally?  

In today’s piece, we look at what a zero trust model is, how it works, the benefits of implementation in your security network and whether it is a viable option in cybersecurity.  

What is the zero trust model? 

The term ‘Zero Trust’ comes from Forrester Research analyst John Kindervag, who said: “Never trust, always verify.” His view is that risk is an inherent factor both inside and outside a network.  

The definition, as detailed by the National Institute of Standards and Technology (NIST), is: “Zero trust is the term for an evolving set of cyber security paradigms that move defences from static, network-based perimeters to focus on users, assets, and resources. Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location.” 

Zeljka Zorz, managing editor at Help Net Security and a zero trust aficionado, concludes zero trust as: “In short, the zero trust model enforces that only the right people or resources have the right access to the right data and services, from the right device, under the right circumstances.”  

In a zero trust security framework, all employees/users who are operating on an organisation’s network (both internally and externally), must be authorised for access by authenticating their credentials. The zero trust framework is not a one-and-done authorisation. Instead, users will have to seek continuous validation to be granted access to an organisation’s data and applications.  

The zero trust security model has exploded in popularity over the last few years as it encapsulates behaviours for local networks, cloud networks and a work environment that must juggle the two due to a shift from office working to remote working in multiple locations. At its core, the zero trust model seeks to be the modern solution to modern digital issues. It has a few key principles: 

• Continuous verification/real time monitoring: Users will always need to verify their access, no matter what resource they are trying to obtain. Networks and all access requests are constantly evaluated to detect for intruders and limit damage constantly. The zero trust model minimises “breakout time,” which is the period after a hacker has broken into a network/device to initial security response.  

• Minimised fallout through micro segmentation: The zero trust model effectively puts individual locks on all forms of data. This means that, should a breach occur, the ramifications will be minimal and limited to a small “blast radius.” This is a form of micro segmentation, a technique where a large network is segmented into smaller sections so if a compromise should occur in one section, the rest of the network can stay secure.  

• Automated context and response: The zero trust model also takes security analysis out of the hands of a human compliance manager and replaces it with an automatic context collection protocol. Here, every access request is checked against the need for said access, thus collecting behavioural data on employees and how they are handling data. The model can also log unverified requests for access and report that to information security officers.  

• Multi-factor authentication (MFA): This is already a quite common security feature in a lot of frameworks, and it is the same for the zero trust framework. Using MFA, a user’s identity can be accurately assessed, and access can be granted. Types of MFA include security questions, second device confirmation, one-time text passcodes and more.  

How does zero trust work? 

The typical zero trust security framework combines multifactor authentication with strong endpoint security and user ID verification systems to consider and conclude access requests in a moment. Zero trust models also encrypt data, secure emails, and regularly run scans of assets and data to make sure nefarious code or documents have not infiltrated the system. 

Most zero trust policies are continuously vetting users prior to giving them access to any data or assets. They check attributes such as device privileges, behaviour patterns, geolocation, software versions, firmware versions, operating systems, patch levels and suspicious activities.  

The zero trust model is such a departure from the traditional way of securing an organisation’s data. The standard approach to accessing data has always been “trust but verify,” which allows employees to access data on a whim. This model allows work to be completed faster and less roadblocks are erected to slow down projects.  

However, the zero trust model is “verify first, trust second.” Advocates for the zero trust infrastructure argue that traditional “trust but verify” models put organisations at risk of both malicious internal actors but also skilled external actors who use fraudulent credentials to compromise accounts and wreak havoc across an entire organisation’s data. They also argue that, due to the pandemic and the drive towards remote working on cloud networks, the zero trust model keeps organisational data secure on uncompromised and unvetted private home networks.  

Fans of the zero trust model also know that threats and threat actors are always evolving with the type of attacks you can face always subject to change. The zero trust model keeps a log of all service users and privileged accounts. This then makes it easier to track users that should not be on the network or are seeking to access data they have no permission to access.  

The truth about the zero trust model 

No one is truthful about the zero trust model so we are here to do that; it is not for everyone. Not every organisation can operate efficiently with such a large blocker in place. Not every organisation should see a zero trust model as the only solution to protecting their data.  

In fact, turning to a zero trust model is admitting a failure in educating and developing the security culture of your organisation. If you have sufficiently taught, trained, and maintained a healthy security culture amongst your employees and have external security protocols in place, then there really is no need for a zero trust model. Sure, it is an easy fix for information security officers and data protection managers, but it ignores the true problem of risky behaviours and training them out in favour of focusing on access controls.  

The zero trust model also implies that management does not trust its employees and that every action on its network must be considered nefarious before innocent. Employees will eventually lose the will to justify every access request as it becomes a case of fighting to work rather than having the best conditions in place to work.  

In conclusion 

Truthfully, the zero trust model framework is only best when implemented in mega corporations or in small segments of mega corporations. Smaller companies do not need to put up roadblocks for their employees and should be looking at more considered behaviour change rather than constant employee monitoring.  

Nevertheless, it is a security initiative CISOs (Chief Information Security Officers) and DPOs (Data Protection Officers) are considering in the wake of constantly rising global breach statistics. If you want to see your employees as the problem in need of regulating, then zero trust seems to be the go-to solution. However, if you, like us, see employees as the solution and first point of defence, then behaviour change trumps zero trust in many ways.  

If you would like more information about how The Security Company can help deliver security awareness training for remote workers or how we can run a behavioural research survey to pinpoint gaps in your security culture, please contact Jenny Mandley.