Zero Trust Security’s New Pitfall To Avoid: Over-Investing
The huge promise of zero trust has led some businesses to actually ‘put too much focus on it,’ a Gartner analyst told CRN. And there are lots of security issues that zero trust can’t help with.
The effort to get businesses to care about adopting a “zero trust” approach to security, more than a decade in the making, is officially a success.
Maybe a little too much of a success.
With all of the hype about zero trust in recent years, there’s now a tendency among some businesses to “over-invest and put too much focus on it,” said John Watts, vice president and analyst at Gartner.
[Related: Cloudflare Earnings Takeaways: Zero Trust, Generative AI Security, Channel Growth]
A survey by the Cloud Security Alliance last year found that just about every IT and security professional that it polled — 94 percent — reported they were are in the midst of implementing a zero trust strategy. And 77 percent planned to increase their spending over the next year.
“Zero trust” might sound like an unlikely trend, but in the area of cyber defense, where the focus on keeping out malicious actors, it can be powerful, according to security experts. Simply put, the idea is that users shouldn’t get carte blanche to move around within an organization’s systems just because they had the right password. There should be additional ways of verifying that users really are who they claim to be, and a series of measures in place to ensure they don’t get far even if they get past initial defenses.
A variety of security solutions have come to embody the zero trust idea. Those include identity authentication and authorization tools, especially those that ensure users can’t access more than they need to for their role, known as “least-privileged access.”
Another piece of the puzzle is having a modern remote access solution — zero trust network access (or ZTNA) — which is considered a more-secure replacement for VPN since it can consider other pieces of context before granting access, such as location and security health of the user’s device.
A third element that’s useful for zero trust, micro-segmentation, can prevent a breach from spreading across an organization’s environments.
From Hype To Reality
Zero trust solutions can help greatly with enabling secure access for distributed workforces, and they’ve seen surging demand since the onset of the pandemic.
And so while the past few years have seen a huge amount of noise and hype about zero trust and its potential for security, some businesses are now starting to actually try to do it.
While it’s still early — less than 1 percent of large enterprises “have a mature and measurable zero-trust program in place” today, according to Gartner — a wide array of businesses are on the path. When it comes to zero trust, “we’re moving from marketing hype into reality,” Watts told CRN.
Among other things, that means that businesses are starting to encounter some of the inevitable pitfalls.
A big one, Watts said, is that it’s possible to actually focus too heavily on the concept. For some businesses, the problem is now less about under-investing in zero trust, and more about over-investing.
Amid all the “sunshine and rainbows” about what zero trust can do for security, some businesses run the risk of neglecting other things they need to do to protect themselves — issues that zero trust can’t help with, Watts said. It bears keeping in mind, he said, that “zero trust doesn’t address all of the threats of an organization.”
For instance, organizations today are doing more and more with offering externally facing applications and services, he noted.
“They’re expanding your attack surface. But not all of those can be behind a zero trust control,” Watts said.
Another prime example is software supply chain attacks, such as the compromise of the SolarWinds Orion network monitoring platform in 2020.
Zero trust could potentially help to prevent attackers from initially infecting an application’s code. But if a threat actor succeeds at compromising an application that gets distributed to customers as an update, like in the SolarWinds attack, “zero trust doesn’t solve that problem,” Watts said.
“That’s all a trusted process typically,” he said. “And that thing running in your environment is in a spot where you trust its activity, because you installed it and manage it.”
‘No Panacea’
Without a doubt, as zero trust has taken off as a buzzword in the industry, the expectations around it have gotten unrealistic in some cases, according to Max Shier, chief information security officer at Optiv, No. 25 on CRN’s 2022 Solution Provider 500.
“It’s morphed into being seen as something that’s going to solve all of our issues in cybersecurity,” Shier said. However, “there is no panacea” in cybersecurity — from zero trust or anything else, he said.
That’s not to take away from the fact that zero trust is a security strategy that’s badly needed today, Shier said.
The zero trust approach is so effective, in fact, that even at its preliminary stage of implementation it has already begun forcing attackers to change their behaviors, according to Shier.
More attackers are now shifting their focus to software supply chain and API-based attacks, he said, which he attributes to attackers encountering new defense measures that are based on zero trust principles.
“Now we do have those additional layers of defense in place. You do now have permission sets, identity [security] and micro-segmentation on the network that really limit where a hacker can go. It’s harder to get in, it’s harder to move around,” Shier said.
For instance, assigning permissions to a specific a piece of data, asset or identity makes it difficult for a hacker to exploit group permissions, or get into an account where they can move arbitrarily throughout the network without being detected, he said. “Everything they do — once zero trust is implemented — is monitored, restricted and caught.”
Focus On ‘Primary Risks’
The march toward the focus on zero trust that we see today kicked off in 2009, in the wake of the China-attributed “Aurora” attacks on Google. The massive cyberattack prompted the company to begin its BeyondCorp initiative, seen as the first major zero trust implementation.
Most businesses are not Google, however, and may not need to invest as heavily or go as far with zero trust as the tech giant did. The ideal level of investment in zero trust will vary, depending on the needs and goals of each organization, Gartner’s Watts said.
For example, a mid-sized company “might achieve some of their goals just by implementing some point solutions in reducing some of the primary risks that they have,” he said. “They might be able to take services running on the internet, put them behind a firewall for access, so nobody can just scan and exploit them. That’s a positive for zero trust, and it reduces risk.”
Businesses should pinpoint the “clear primary risks” that they aim to address with zero trust, which they can often tackle incrementally, with standalone tools that aren’t necessarily part of a sweeping zero trust platform, he said.
“You don’t need to have the biggest strategy in the world with [major] investments to do that,” Watts said.
“Depending on the organization, smaller ones may just say, ’Hey, I’m going to replace my VPN with ZTNA, and I’m going to try to get more granular on my controls. Maybe I don’t get to this highest level of maturity — maybe I never get to micro-segmentation.’ That’s probably fine,” he said. “That probably reduces their primary risk.”