Debunking Five Myths About Zero-Trust
One term circulating around the security industry for years is ‘zero-trust.’ While many may view zero-trust as just the latest buzzword in the security industry, it’s actually a concept that has existed for many years.
Zero-trust is a network architecture model that has been around for over a decade and represents a paradigm shift for securing access to resources and reducing the attack surface. John Kindervag is the pioneer of the model and first coined the term in his Forrester paper, No More Chewy Centers: Introducing The Zero Trust Model Of Information Security.
As organizations increase their interest in embarking on a zero-trust journey, misconceptions have arisen as well. Below are five common misconceptions that drive resistance to change among IT leaders, including zero-trust’s impact on network availability, user experience and productivity and its ability to protect agentless devices and unmanaged systems.
Myth One: Zero-Trust is a Product
It’s important to recognize that zero-trust is a journey, not a product. To put it simply, zero-trust is an information security model that gradually eliminates implicit trust from the underlying network.
The challenge for organizations new to the zero-trust model is to stay away from those vendors that claim to offer a cure-all “zero-trust product” which doesn’t actually deliver. Instead, IT leaders need to consider vendors that build tools to support a transition to a zero-trust architecture.
In fact, multiple product categories enable the implementation of a zero-trust network architecture that can move organizations toward an optimal security posture. When properly integrated and used, these products effectively reduce the attack surface and limit the blast radius in the event of a breach without affecting network availability, business operations and productivity. Ultimately, when properly implemented, a comprehensive zero-trust solution with continuous trust verification should aim for the complete elimination of the attack surface.
Myth Two: Zero-Trust Harms Network Availability
Zero-trust security not only improves network availability but also improves the application access experience. Network and security teams often have differing agendas. For instance, the network team may need to move assets efficiently and effectively from one location to another, with the security team later adding controls to the data. During that process, network performance and availability may suffer. This does not apply with a security-first approach to the network fabric, which is key to the zero-trust model.
Once location becomes another attribute and does not determine trust by itself, securing assets becomes more effective, and transporting assets can be done more efficiently. As identity and its attributes become the new dynamic edge, instead of IP addresses and ports, organizations can, over time, create virtual microperimeters to build policy around their assets. This, in turn, helps IT by limiting the blast radius of an attack with a model that evolves in tandem with the organization.
Myth Three: Zero-Trust Solutions Replace VPNs
This misconception has a few caveats. To start, virtual private network (VPN) replacement is often a driving force for the adoption of zero-trust network access (ZTNA) solutions. ZTNA has historically challenged traditional VPN technologies for application access and removed the trust enabling the collaboration of employees and partners. This is especially true in an environment where remote working has increased exponentially, which shows the limitations of VPN architectures from a bandwidth, scalability and security perspective.
What solves the issues of legacy VPN solutions is in the way zero-trust is put into practice. ZTNA, when not pursued correctly, is not the answer to all VPN limitations. But ZTNA done the right way can go beyond replacing VPN to unlocks new capabilities and overcome the limitations and risks of the old implicit trust model.
Myth Four: Zero-Trust Architectures Will Stop Breaches
Unfortunately, in the security industry, there is no “silver bullet” that is guaranteed to stop all breaches. Similarly, ZTNA solutions are not infallible and cannot eliminate every single risk. With zero-trust, it’s essential to “trust nothing and verify everything” — this includes your zero-trust security stack.
One example of this is a trust broker, which does not include multifactor authentication (MFA) that has the potential to be compromised at some point. One way to combat this is with multiple entry and exit points which could minimize the likelihood of outages. It’s important to remember that zero-trust is a journey which, over time, reduces the attack surface with the goal of eliminating it altogether. This cannot be achieved in one day and requires planning for the future.
Myth Five: Zero-Trust Hampers User Experience and Productivity
It is understandable to assume that user experience and productivity could suffer because of the zero-trust practice of continuously verifying identity. However, with the right tools in place, a seamless experience is possible by nano-segmenting users, devices, apps, workflows and data, in combination with intelligent policies enforced as close to the asset as possible.
On the administrative side, productivity actually increases and complexity decreases. For example, when an employee leaves the organization, under a zero-trust approach access to all resources is revoked at once. Under legacy models, removing access is complex or even ignored when an employee leaves an organization, and access can still remain, which threatens a company’s security in the long run.
In summary, zero-trust is a journey, and a worthy pursuit for organizations seeking an innovative, aspirational way to approach security. Zero-trust is a constant exercise of verification and policy adaptation, which ultimately enables the coexistence between security and networking agendas. By pursuing a zero-trust approach with the right set of integrated security tools, organizations can start their journey with confidence.
