Is Zero Trust The Future Of Cybersecurity?

Brought to you by CYRIN

Zero trust could be the future of cybersecurity. If so, cybersecurity will look much different than how it is practiced currently. Zero trust security, also known as a zero-trust architecture or perimeter-less security, assumes no one and no device or application is universally trusted, whether inside or outside the network. Continuous verification is required. Access is granted based on the context of the request, the level of trust, and the sensitivity of the asset.

A zero-trust architecture is especially effective for organizations that use cloud applications and have lots of remote workers and locations.

Zero trust represents a departure from security models focused exclusively on perimeter defenses, the “moat around the castle” strategy aimed at keeping malicious actors out, while those inside the walls could move freely. That metaphor or model “falsely assumed users and devices within the corporate environment could be trusted. It discounted insider threats and the potential for bad actors to successfully penetrate the perimeter and disguise themselves as trusted entities that belonged within the environment.” In other words, what happens when the perimeter – through IT and cloud computing – is eliminated? For this reason, a zero-trust policy or strategy requires every use or device to be verified and vetted when trying to access a private network, even if they are requesting access from within.

According to Steve Wilson, principal analyst at Constellation Research, the definition of zero trust is: “Zero trust is saying: don’t assume anything. Allow agents and users the least privilege and the least access they need to get their jobs done. And don’t assume any privilege without verifying.”

Historical Roots & Future Projections For Zero Trust

Zero Trust is not a new concept, even if it is appearing more frequently in federal mandates and on private industry’s cybersecurity radar. In fact, as early as 2010, Forrester research analyst John Kindervag suggested that, “an organization should not extend trust to anything inside or outside its perimeters.” In that process, he helped to define the concept of zero trust. Zero trust principles have been more widely adopted and aided by a May 2021 executive order declaring that the federal government “must adopt security best practices” and “advance toward zero-trust architecture.” Zero trust is expected to play a large part in federal cyber plans going forward, with more agencies implementing zero trust architecture within their organizations.

Enabling a zero-trust strategy is not a one and done process; implementation involves layers of policies, procedures and technologies, which can be challenging for organizations. Another source of vulnerability and impediment to success is legacy technology; older systems often can’t work with or support the elements of a zero-trust security model. Financial constraints and resistance to change are additional barriers. Organizations generally can’t afford to replace existing security technologies and modernize legacy tech all at once, nor can they successfully manage to move workers to new policies and procedures in one fell swoop.

Speaking in a September, 2023 post on the ISACA site, Matt Chiodi, Chief Trust Officer at Cerby, said, “Legacy applications often fall in the ‘unmanageable’ category, and are one of the biggest, largely unknown, threats facing organizations today. These applications are the hole in most organizations’ zero trust strategy, as identity is a critical input to a zero-trust system. These applications don’t support standards like SSO and SAML, so they can’t be included in a zero-trust architecture. Recent research from the Ponemon Institute found that unmanageable applications, many of which are legacy systems, generate 10 to 15 percent of breaches annually.”

Many government agencies still use legacy systems to manage complex, critical business functions like benefits programs, and mission-critical business functions and processes. But because these systems were developed before cybersecurity was a major concern, they lack features that can make them more secure. It all adds up to a big headache for state and local governments that must balance their need to defend themselves against evolving threats while managing legacy assets that cannot easily be upgraded or migrated to the cloud.

The ever-increasing need to “trust no one,” is reflected in recent high-profile cybersecurity breaches that had major consequences: Colonial Pipeline, 23andMe, and MGM Resorts, just to name a few.

These attacks illustrate the need for more robust security measures. The Colonial Pipeline attack disrupted the East Coast’s fuel supply, leading to panic and economic consequences. The 23andMe hack violated the privacy of users, while unauthorized access to genetic data meant individuals could be at a higher risk for discrimination or targeted attacks, even identity theft, including sharing wrongful data that could severely impact a person’s health outcomes if placed in the wrong hands. Such sophisticated breaches point to the need for zero trust models, which continually authenticate and authorize all users in real time, whether inside or outside the network, reducing the attack surface available to malicious actors, and detecting and correcting threats as quickly as possible.

The Role Of AI In Zero Trust

The rapid advancement of technology for future cyberattacks will utilize artificial intelligence (AI), due to its ability to quickly evolve and adapt. Imagine AI-driven malware with the ability to scan networks, identify vulnerabilities, and modify its behavior in real-time to evade detection. The ability for AI to continuously adapt emphasizes the need for a model like zero trust, where constant verification, monitoring, and limited access are the only reliable ways to stay ahead of these future threats.

In March 2024, the U.S. National Security Agency (NSA) released a cybersecurity information sheet, "Advancing Zero Trust Maturity Throughout the Network and Environment Pillar," recognizing Zero Trust Segmentation (ZTS) as a foundational element.

Widespread applications of AI in zero trust may mark an important turning point. Zero trust security operates based on continuous verification and authentication. Every request for access must be vetted to ensure that the person or thing attempting access is who they say they are. Rather than static security, the continuous verification with the help of AI is dynamic, adaptable, and contextually rich. Smart application of AI in the zero trust framework could help address a long-standing criticism of zero-trust initiatives, which is that layering on additional security controls can frustrate authorized users. By adapting security controls based on moment-by-moment context along with historical trends, AI could be trained to find a middle ground where zero trust is enforced and—at the same time—eliminates impediments to authorized users so they can get from point A to point B without hassle or confusion.

As a February, 2024 article in SC World noted, “AI combines incredible speed, precision, and depth of data to give organizations a contextually-rich understanding of the threats that zero trust practices aim to root out. In the next few years, we may see a marriage of generative AI tools with zero trust playbooks that, for the first time ever, bring this long-sought security philosophy within reach.”

The Healthcare Connection

Zero trust initiatives may be particularly critical in the healthcare industry, where access to sensitive data could have catastrophic or even fatal consequences. In a 2023 National Institutes of Health article, The American Hospital Association advises senior hospital leaders not to view cybersecurity as purely a technical issue falling solely under the domain of IT departments. They indicated that it’s critical to see that cybersecurity measures are linked to patient safety. However, many organizations lack the cybersecurity knowledge or resources to adequately protect this highly sensitive data. In addition, health care organizations in many cases are likely to pay a ransom, due to the high value patient records have for malicious actors and cybercriminals. Stolen health records may sell for up to 10 times more than stolen credit card numbers on the dark web. The cost to heal a breach in health care is almost 3 times that of other industries—averaging $408 per stolen health care record versus $148 per stolen non-health record. Hospitals are already under time and monetary pressure, and this creates a bind for both providers and doctors who must balance access with security.

Currently many organizations take a network perimeter approach to cybersecurity; but as more ways to penetrate a network have been created, this strategy has become outdated. With the importance of healthcare data, it seems only natural that healthcare systems should consider taking a zero-trust approach.

Both Industry & Government Moving To Zero Trust

The government has both taken note and action. In President Biden’s 2025 budget request there is $13 billion allocated for cybersecurity spending for both defense and civilian agencies — up almost10% from 2024 — and significant chunks are set aside for zero trust initiatives. Specifically, the FY 2025 budget requests $470 million for the Continuous Diagnostics and Mitigation (CDM) Program, which supports zero trust implementation through a dashboard that offers a detailed view of the cyber landscape across the whole federal government. The Defense Department overall has offered leadership in demonstrating how to implement zero trust strategies. While the Pentagon is certainly ahead of the curve — with agencies like the Defense Information Systems Agency taking truly innovative approaches — many DoD components are still in the early stages of their journeys.

It’s been nearly 15 years since former Forrester analyst John Kindervag brought the zero-trust concept into the mainstream, advising organizations to “trust no one” and “verify everything.” But it’s been a long haul for zero trust. While respondents to a recent CyberRisk Alliance (CRA) survey of 205 security and IT leaders almost universally regard zero-trust as the right path forward, less than one-third have actually implemented zero trust in their organizations.

But even with the low rates of deployment, 62% of respondents believe that zero trust has grown in importance over the last 12 months. Because of that, a clear majority have plans to finalize a fully drawn-up zero-trust framework in 2024. Many respondents are looking for AI to come to rescue. They say AI has the potential to help them identify breach attempts faster, reveal patterns in user behavior and network activity, and foil convincing phishing attempts.

Despite foreseeable challenges, it is predicted that zero trust will continue to play a big part in federal cyber plans in 2025, and will be widespread, with nearly every agency having some part to play in implementing zero trust architecture within their systems and organizations. It’s also clear that industry will follow the federal government’s lead, with zero trust becoming the way of the future. The question is, when will that future arrive?

CYRIN’s Capabilities

At CYRIN, we understand AI and zero trust, including the cybersecurity implications. We continue to work with our industry partners to address major challenges such as the use of new paradigms like AI and zero trust. We set up realistic scenarios that allow them to train their teams and prepare new hires for the threats they will face. Government agencies have been using CYRIN for years, training their front-line specialists on the real threats faced on their ever-expanding risk surface.

For educators, we consistently work with colleges and universities both large and small to create realistic training to meet the environment students will encounter when they graduate and enter the workforce, including being at forefront of new and future uses of cybersecurity.

Unless you get the “hands-on” feel for the tools and attacks and train on these real-world scenarios, you just won’t be prepared for when the inevitable happens. The best time to plan and prepare is before the attack. Our training platform teaches fundamental solutions that integrate actual cyber tools from CYRIN’s labs that allow you to practice 24/7, in the cloud, with no special software required. Cyber is a team effort; to see what our team can do for you take a look at our course catalog, or better yet, contact us for further information and your personalized demonstration of CYRIN. Take a test drive and see for yourself!


You Might Also Read: 

Space: The Last Cybersecurity Frontier?:  

Image: Olivier Le Moal


If you like this website and use the comprehensive7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

 

« AI Used For Extortion & Sexual Abuse
Attacks On The US From China Increasing »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

Mellanox Technologies

Mellanox Technologies

Mellanox Technologies is a leading supplier of end-to-end Ethernet and InfiniBand intelligent interconnect solutions and services for servers, storage, and hyper-converged infrastructure.

Malta Information Technology Agency (MITA)

Malta Information Technology Agency (MITA)

MITA is the central driver of Government Information and Communications Technology (ICT) policy, programmes and initiatives in Malta.

Executive Women's Forum (EWF)

Executive Women's Forum (EWF)

The Executive Women's Forum is the largest member organization serving emerging leaders and influential female executives in the Information Security, Risk Management and Privacy industries.

Magtech Solutions

Magtech Solutions

Magtech Solutions is a one-stop IT Solutions provider offering Cloud Computing, IT Security, Unified Email Solutions and ERP systems.

Cyber Police of Ukraine

Cyber Police of Ukraine

Cyber Police of Ukraine is a law enforcement agency within the the Ministry of Internal Affairs of Ukraine dedicated to combating cyber crime.

ProSearch Partners

ProSearch Partners

ProSearch Partners are national talent acquisition specialists exclusively focussing on Technology and Digital talent including Cybersecurity, Data Analytics and Execs.

OpSec Security

OpSec Security

OpSec Online is the only brand protection solution that spans all channels so your brands are protected no matter what digital venue the criminals target.

Gijima

Gijima

Gijima is one of SA’s leading ICT companies in Cloud & Outsourcing, Systems integration, Human Capital Management & Training, Cybersecurity, and Unified Communications.

SpiderOak

SpiderOak

SpiderOak's portfolio of Secure Communication & Collaboration products ensure the confidentiality, integrity, and availability of your most sensitive data in any environment.

Park Place Technologies

Park Place Technologies

Park Place Technologies' mission is to drive uptime, performance and value for critical IT infrastructure.

Quod Orbis

Quod Orbis

Quod Orbis are a fast-growing, innovative company providing market-leading expertise in cyber security and Continuous Controls Monitoring (CCM).

Crygma

Crygma

CRYGMA Quantum-Resistant Cryptographic Machines, the new standard in data encryption.

Confidencial

Confidencial

Confidencial is a provider of solutions that help organizations secure their most sensitive information, regardless if that information exists inside or is shared outside the organization.

Walacor

Walacor

Walacor’s secure data platform represents the next generation of secure data and blockchain storage with a trust-first approach that revolutionizes enterprise data, and database management systems.

CyPro

CyPro

CyPro is a cyber security expert firm that specialises in providing cyber security services tailored for high-growth companies at every stage of their journey.

VPNBlade

VPNBlade

VPNBlade is your go-to resource for expert reviews and advice on VPN services.