In 2017, a ransomware attack involving malware called WannaCry crippled UK’s NHS. About 200 primary care facilities had to delay or suspend their medical procedures because of inaccessibility of records.
Within the same year, Equifax, one of the largest credit bureaus in the United States, experienced a data breach, exposing over 145 million personal and financial records.
Organizations are well aware of the reality of cyberthreats, but many still don’t understand how they work — often mistakenly believing that these are only external threats. In fact, the story can begin on the inside. Because of this, the concept or model called “zero trust” was born.
What Is Zero Trust?
Zero trust is built on the idea that “everyone should trust no one.” From an organizational perspective, all members, from the CEO down to rank and file, can commit, influence, aggravate, or promote cyberthreats whether accidentally or deliberately. They can be just as harmful as cyberattackers that destroy systems around the world.
The Birth of Zero Trust
To further understand the principle behind zero trust is to go back to 2004 when Paul Simmonds introduced two concepts to the Jericho Forum. These two are castle-and-moat model and deperimeterization:
- In “castle-and-moat”, the traditional network security system seemed to resemble that of a castle surrounded by its defensive perimeters and a moat that further separates it from more threats. All network devices rely on a firewall to keep the intruders out.
- Deperimeterization, on the other hand, argues that this strategy may no longer work as more employees use a lot of devices and access them anytime, anywhere. The security approach also needs to be as agile. To do this, however, the company needs to secure both the front- and back-end components, usually through as-needed access and comprehensive authentication processes.
Six years after the introduction of deperimeterization, a Principal Analyst and Vice President of Forrester Research, John Kindervag wrote about zero trust. He implied that:
- The old security model is faulty since it assumes that all users are trustworthy.
- Trust is a vulnerability and may be exploited especially by malicious actors.
- While he agrees that the present security approaches should be more flowing considering the popularity of wireless and complex connectivity, he also thinks that unrestricted access at any point can still be dangerous.
- Micro-segmentation may then become one of the effective strategies to prevent the problem. For example, users may not be able to access all databases or information. They may need to authenticate themselves at every level.
The Value of Zero Trust in the Digital Age
Since the inception of zero trust, many companies, including Google, have already expanded their approach to include a variety of systems, platforms, and devices. The reason is simple: they see its value in this highly digital age.
1. Cyberattacks Are Costly
Cybersecurity Ventures broke down the staggering costs of cyberattacks. By 2021, its value could reach a mind-boggling $6 trillion annually. That’s equivalent to almost $200,000 per second!
In fact, the losses are so huge that, when compared to world economies, cybercrimes would have ranked third after the U.S. and China. It also costs more than the global drug trade and natural disasters.
These threats are especially harmful to small businesses. In a 2018 report by Keeper Security, over half of U.S. small businesses with fewer than a thousand employees experienced a cyberattack. Almost 60% claimed that their data had been breached.
These cybercrimes usually cost small enterprises around $200,000 a year. Approximately 60% of these businesses eventually shut down within six months after an attack.
2. The 5G Network has a Lot of Vulnerabilities
The 5G network has been a subject of excitement — and contention and politics — because of what it can do to IT. With its promise to hasten speed and decrease latency, it feels like the sky's the limit when it comes to running applications and networks.
5G technology can fuel the growth of IoT devices and increase the demand for self-driving cars and smart cities. Small businesses can be just as efficient as their large-scale counterparts as platforms become more capable of offering services that will otherwise be too expensive to acquire and maintain before.
However, this technology can also offer cybercriminals different pathways to infiltrate. 5G’s connectivity may also become its Achilles’ heel. In 2019, the University of Iowa and Purdue University enumerated at least ten 5G vulnerabilities, including hijacking emergency alerts delivered through texts and incoming calls.
Companies can expand zero trust to cover users, machines, and networks. It means that even if a bad actor is successful in bypassing the first layer of protection, it may not achieve its goal to go deeper.
This approach also promotes constant monitoring of internal and external use, so IT teams can become aware of suspicious access or activities.
The Downsides of Zero Trust
Zero trust is a smart, realistic, and doable security model, but it is not perfect. Writing for Computer Weekly, Mike Gillespie illustrates the limitations, challenges, and barriers of zero trust.
- It may lead to employee disengagement. It somehow creates the idea that they are not trustworthy and that the company may always be on the lookout for their every move. Employees feel they are constantly monitored. Zero trust, therefore, could foster tension in the workplace.
- The restrictions may limit innovation. The different authentication processes, lack of access to useful information, and sometimes bureaucracy can translate to lower productivity and efficiency.
For others, the volume of applications, people, and data it needs to manage can be a significant challenge. At some point, it may fail to secure one of these properly, providing the entry cybercriminals need to take over.
How to Improve Zero Trust Policies
Microsoft has outlined some recommendations to strengthen and improve zero trust policies within the organization. These include:
- Consider conditional access controls. Rather than focusing too much on internal and external users of the network, organizations can shift to vetting every access request according to its context.
- Strengthen one’s credentials. Besides using unique passwords and updating them regularly, companies can also benefit from implementing multi-factor authentication as part of conditional access control.
- Maximize analytics. The data generated by the systems deployed for zero trust can be used to track patterns that could identify cyberthreats.
Microsoft revealed that over 20% of companies now implement zero trust, while more than half said that they will do so within the next 12 months. Thus, it looks like it’s here to stay.
The zero trust approach will make the cyberworld a safer place. However, for it to truly serve its purpose in the organization, this model needs to evolve to accommodate the changing needs of the users. Companies should also overcome the model's limitations and never forget about the basics of cybersecurity.