Zero Trust: Hype vs. Reality

Zero Trust is a security approach that has gained significant attention in the cybersecurity world in recent years. But what is Zero Trust, and how effective is it in protecting against cyber threats? Cybersecurity professionals are rightfully skeptical of phrases that suddenly become buzzwords overnight. However, there are many legitimate technologies and policies that fall under the umbrella term “Zero Trust”. In this post, we will explore the concepts and technologies involved in Zero Trust and attempt to differentiate marketing hype from factual evidence.

Definition

First, let’s define zero trust. At its core, Zero Trust is a security model that assumes all users and devices within a network are untrusted and potentially malicious. This means that, rather than relying on the traditional perimeter-based security model which assumes that everything inside the network is trusted, a Zero Trust approach treats all access requests as coming from an untrusted source. There are a few other definitions of Zero Trust but each definitions contains a common concept:

“Never trust, always verify.”

Sounds pretty reasonable for a security protocol, right? It is like saying everything in a network is “guilty until proven innocent”. In an ideal Zero Trust environment, every network connection, digital communication, and device would be walled off from access until a series of verification steps has occurred. Is such an ideal environment achievable? Probably not, but more on that later. Let’s begin exploring the technologies which utilize Zero Trust principles.

Zero Trust Tech

One key component of Zero Trust is multi-factor authentication (MFA), which adds an additional layer of security by requiring users to provide multiple forms of authentication before accessing a network or system. This can include a combination of something the user knows (e.g. a password), something the user has (e.g. a physical token or mobile device), or something the user is (e.g. a fingerprint or facial recognition).

Many online services/apps allow you to set up 2FA (2-factor authentication) which requires two forms of authentication to log in. Usually, the available authentication options are SMS, Email, or app-based methods. Out of these three options, SMS is the least secure route. Because SMS messaging is not encrypted, it comes with a lot of security issues that make it unreliable as an MFA method. If you’re going to enable 2FA for the purpose of securing an app or account, we highly recommend using app-based methods.

In addition to MFA, virtual private networks (VPNs) and encrypted messaging are also commonly used in a Zero Trust architecture. VPNs allow users to securely access a network remotely, while encrypted messaging ensures that any communication between users is protected from interception. Whether for personal use or for work, VPNs are a highly reliable tool for securing devices and network connections.

There are many benefits to using a VPN which include:

• Secure access to the internet on public WiFi
• Privacy from your ISP (internet service provider)
• Opens up access to websites that are only viewable in certain countries
• Connecting to a VPN on a work device allows your system admins to enforce company security protocols more efficiently (which is good for them and you)

What about the drawbacks? While VPNs have certainly gotten faster in recent years, the biggest downsides of connecting to the internet through a VPN are latency and speed. On a 1 gig ethernet connection, you’ll see a potential loss of 50-70% loss of speed when connecting through a VPN. For normal web browsing, this is barely noticeable, but that lessened speed becomes far more noticeable when streaming HD videos or playing latency-sensitive games. While there is certainly a degradation of internet speeds, the security gained when using a VPN can be a worthy tradeoff for many people.

MFA and VPNs are clearly important technologies to be utilized with the goal of creating a network based on Zero Trust principles. They are user friendly, accessible, easy to implement (within a smaller organization). With that in mind, we can now explore the final piece of the Zero Trust puzzle: Access Control.

Access Control

Access control is a critical aspect of Zero Trust security. In a traditional perimeter-based security model, access is typically granted based on a user's location, with users inside the network considered trusted and granted access to all resources, while users outside the network are considered untrusted and denied access.

In contrast, a Zero Trust approach grants access based on the user's identity and the level of access they need to specific resources. This means that even if a user is inside the network, they will only be able to access the resources they are authorized to access. There are several benefits to this approach.

First, it reduces the risk of unauthorized access to sensitive resources, as users are only granted access to the specific resources they need to perform their job. 

Second, it allows organizations to have greater control over their networks and systems. 

Third, it can improve the overall security of the network by reducing the size of the attack surface. In a traditional perimeter-based security model, the entire network is considered trusted, which means that an attacker who gains access to the network has access to all resources. In a Zero Trust architecture, the size of the attack surface is reduced because all users have a defined scope of their network access. If employee A becomes the victim of a phishing attack but they only have access to marketing data, then the potential damage of the infection is dramatically reduced.

In summary, access control is an important component of Zero Trust security. It allows organizations to grant access to users based on their identity and the specific resources they need, rather than their location within the network. This can improve the security of the network and reduce the risk of unauthorized access to sensitive resources.

Marketing Hype vs. Reality

Now that we have identified the benefits of Zero Trust technologies and policies , let’s begin to address the hype. While it is true that Zero Trust technologies and policies can provide enhanced security, it is important to recognize that it is not a silver bullet for all security threats. In fact, some experts argue that the term “Zero Trust” is a misnomer, as it is impossible to completely trust or distrust any user or device. 

Furthermore, implementing a Zero Trust architecture within a larger corporation can be complex and costly, requiring significant investment in technology and resources. It also requires a significant shift in the way organizations approach security. But regardless of cost or complexity, we can see that Zero Trust technologies and policies are beneficial for preventing cybersecurity disasters. So, how can a company decide whether they should shift towards a Zero Trust infrastructure? In order to make the best decisions, it’s important that they listen to the experts, rather than the marketing blogs.

So, in order to find out how cybersecurity experts view Zero Trust, I reached out to two of our resident Security Analysts, Tyler Moffitt and Grayson Milbourne.

Tyler Moffitt has been involved in threat research for many years at Webroot/OpenText Security Solutions. We discussed the capabilities of Zero Trust infrastructure and if the media is potentially overstating its benefits. 

Question: “What are the real technological benefits that can be gained from adopting Zero Trust policies in a company?”

Answer: “I think the most impactful benefit we see when looking at Zero Trust policies is access control. Access control is essentially limiting employee access to precisely what they need for their job responsibilities. When a company implements access control policies, that is a huge step towards securing their network. In fact, most of the compromises and ransomware attacks that are discussed in the media can be traced back to a LACK of access control.”

Tyler mentions that this lack of access control can involve:

• An employee clicks a phishing link or falls for a credential stealing attempt
• Infiltrators compromise one machine and then look to get access to shared network drives or network admin credentials

The end goal of any of these attack methods is to gain access to user credentials that have high level access to a network or access to important data. Network admins are the big ones - if a threat actor can gain full access to a network admin login, then they got what they came for. From there, they can usually lock down an entire network, steal data, deploy a ransomware package, you name it. Access control policies are built to mitigate this kind of attack by either preventing it fully or at least reducing the impact. If access control policies are correctly implemented, threat actors will find it far more difficult to find what they’re looking for. 

After discussing access control, I proceeded to ask Tyler Moffitt about the marketing hype surrounding Zero Trust.

Question: “There’s a lot of  hype surrounding Zero Trust in the tech blogs and news media. Help myself and our readers separate fact from fiction on this topic - what is the media getting wrong when they talk about Zero Trust?”

Answer: “Zero Trust is being used as a buzz-word right now. It reminds me a lot of how the media discusses machine learning or AI technology. They  find some grains of truth about a technology and then embellish those truths without talking about limitations. The truth is that a perfect “Zero Trust” environment is a unicorn - it doesn’t exist and I don’t think it can exist. Technology has flaws and you can’t count on a framework to be immune to exploits. There’s always going to be a grey area when considering trusted vs untrusted devices or access points.”

Grayson Milbourne is the Security Intelligence Director at OpenText Security Solutions. He is responsible for ensuring our organization is capable of defending against today's most advanced threats. I reached out to him to learn about the capabilities of zero trust.

Question: “How would you define Zero Trust?”

Answer: “Zero Trust is a method, mindset, and a framework for understanding risk. It’s not an all or nothing approach, though. You can evaluate the concepts and technologies behind Zero Trust and apply the ones that make the most sense for your business.”

Grayson sees Zero Trust as an essential part of cybersecurity. He mentions that the philosophy of Zero Trust is embodied in many of the cybersecurity tools that businesses are already using. The list of tools, software, and policies that utilize a Zero Trust framework is extensive:

• MFA
• VPN
• Antivirus
• Security Awareness Training
• DNS filters
• Encryption 

Above is just a sample of technologies that are used for a similar purpose: securing the potential attack vectors of a network or device. The proper implementation and use of these tools puts organizations in a more secure position. 

When considering the benefits of adopting Zero Trust policies and technologies, the initial benefit is obvious - becoming resilient to cyber attacks. There is, however, a less obvious yet very important benefit which Grayson points out:

“Companies that implement a Zero Trust framework within their cybersecurity pay a lot less for cyber insurance.”

That makes perfect sense - if a company has not properly implemented preventative tools like MFA or DNS filtering, they’re more susceptible to something like a ransomware attack. That makes a company more of a liability when considering cyber insurance coverage. 

So we now have a pretty thorough understanding of what Zero Trust is as well as how the tech/principles can be applied to benefit an organization. I still wanted to know what Grayson thought about the marketing hype that has surrounded zero trust. He states,

“Zero Trust does not mean zero risk - it is a method of limiting exposure to risk. The reality is that there’s no such thing as a perfect Zero Trust environment. The implementation of Zero Trust policies and software creates a structure which reduces risk, reduces impact of infections, and creates a plan for rebounding from disaster. A cybersecurity attack of your company disrupts trust with all of the people that interact with your business. For this reason, it is in a company’s best interest to look at the available security options and evaluate which options are correct for them.”

In Summary

Zero Trust is an incredibly useful framework that can assist organizations with becoming cyber resilient. When companies integrate Zero Trust policies into their cybersecurity, it becomes easier to acquire cyber insurance and mitigates the damage of potential cyber attacks. However, it is important to keep in mind that Zero Trust does not mean zero risk. Despite the claims of clickbait headlines, there is no such thing as an immutable digital network. Technology (and the people using it) will always have flaws and threat actors will always seek to take advantage of those flaws. 

Now we want to know what you think! Did you learn something new today? Had you even heard of Zero Trust before reading this post?

Let us know in the comments below!