Is Zero Trust The Future Of Cybersecurity?

Uploaded on 2024-12-02 in TECHNOLOGY--Resilience, FREE TO VIEW

Brought to you by CYRIN

Zero trust could be the future of cybersecurity. If so, cybersecurity will look much different than how it is practiced currently. Zero trust security, also known as a zero-trust architecture or perimeter-less security, assumes no one and no device or application is universally trusted, whether inside or outside the network. Continuous verification is required. Access is granted based on the context of the request, the level of trust, and the sensitivity of the asset.

A zero-trust architecture is especially effective for organizations that use cloud applications and have lots of remote workers and locations.

Zero trust represents a departure from security models focused exclusively on perimeter defenses, the “moat around the castle” strategy aimed at keeping malicious actors out, while those inside the walls could move freely. That metaphor or model “falsely assumed users and devices within the corporate environment could be trusted. It discounted insider threats and the potential for bad actors to successfully penetrate the perimeter and disguise themselves as trusted entities that belonged within the environment.” In other words, what happens when the perimeter – through IT and cloud computing – is eliminated? For this reason, a zero-trust policy or strategy requires every use or device to be verified and vetted when trying to access a private network, even if they are requesting access from within.

According to Steve Wilson, principal analyst at Constellation Research, the definition of zero trust is: “Zero trust is saying: don’t assume anything. Allow agents and users the least privilege and the least access they need to get their jobs done. And don’t assume any privilege without verifying.”

Historical Roots & Future Projections For Zero Trust

Zero Trust is not a new concept, even if it is appearing more frequently in federal mandates and on private industry’s cybersecurity radar. In fact, as early as 2010, Forrester research analyst John Kindervag suggested that, “an organization should not extend trust to anything inside or outside its perimeters.” In that process, he helped to define the concept of zero trust. Zero trust principles have been more widely adopted and aided by a May 2021 executive order declaring that the federal government “must adopt security best practices” and “advance toward zero-trust architecture.” Zero trust is expected to play a large part in federal cyber plans going forward, with more agencies implementing zero trust architecture within their organizations.

Enabling a zero-trust strategy is not a one and done process; implementation involves layers of policies, procedures and technologies, which can be challenging for organizations. Another source of vulnerability and impediment to success is legacy technology; older systems often can’t work with or support the elements of a zero-trust security model. Financial constraints and resistance to change are additional barriers. Organizations generally can’t afford to replace existing security technologies and modernize legacy tech all at once, nor can they successfully manage to move workers to new policies and procedures in one fell swoop.

Speaking in a September, 2023 post on the ISACA site, Matt Chiodi, Chief Trust Officer at Cerby, said, “Legacy applications often fall in the ‘unmanageable’ category, and are one of the biggest, largely unknown, threats facing organizations today. These applications are the hole in most organizations’ zero trust strategy, as identity is a critical input to a zero-trust system. These applications don’t support standards like SSO and SAML, so they can’t be included in a zero-trust architecture. Recent research from the Ponemon Institute found that unmanageable applications, many of which are legacy systems, generate 10 to 15 percent of breaches annually.”

Many government agencies still use legacy systems to manage complex, critical business functions like benefits programs, and mission-critical business functions and processes. But because these systems were developed before cybersecurity was a major concern, they lack features that can make them more secure. It all adds up to a big headache for state and local governments that must balance their need to defend themselves against evolving threats while managing legacy assets that cannot easily be upgraded or migrated to the cloud.

The ever-increasing need to “trust no one,” is reflected in recent high-profile cybersecurity breaches that had major consequences: Colonial Pipeline, 23andMe, and MGM Resorts, just to name a few.

These attacks illustrate the need for more robust security measures. The Colonial Pipeline attack disrupted the East Coast’s fuel supply, leading to panic and economic consequences. The 23andMe hack violated the privacy of users, while unauthorized access to genetic data meant individuals could be at a higher risk for discrimination or targeted attacks, even identity theft, including sharing wrongful data that could severely impact a person’s health outcomes if placed in the wrong hands. Such sophisticated breaches point to the need for zero trust models, which continually authenticate and authorize all users in real time, whether inside or outside the network, reducing the attack surface available to malicious actors, and detecting and correcting threats as quickly as possible.

The Role Of AI In Zero Trust

The rapid advancement of technology for future cyberattacks will utilize artificial intelligence (AI), due to its ability to quickly evolve and adapt. Imagine AI-driven malware with the ability to scan networks, identify vulnerabilities, and modify its behavior in real-time to evade detection. The ability for AI to continuously adapt emphasizes the need for a model like zero trust, where constant verification, monitoring, and limited access are the only reliable ways to stay ahead of these future threats.

In March 2024, the U.S. National Security Agency (NSA) released a cybersecurity information sheet, "Advancing Zero Trust Maturity Throughout the Network and Environment Pillar," recognizing Zero Trust Segmentation (ZTS) as a foundational element.

Widespread applications of AI in zero trust may mark an important turning point. Zero trust security operates based on continuous verification and authentication. Every request for access must be vetted to ensure that the person or thing attempting access is who they say they are. Rather than static security, the continuous verification with the help of AI is dynamic, adaptable, and contextually rich. Smart application of AI in the zero trust framework could help address a long-standing criticism of zero-trust initiatives, which is that layering on additional security controls can frustrate authorized users. By adapting security controls based on moment-by-moment context along with historical trends, AI could be trained to find a middle ground where zero trust is enforced and—at the same time—eliminates impediments to authorized users so they can get from point A to point B without hassle or confusion.

As a February, 2024 article in SC World noted, “AI combines incredible speed, precision, and depth of data to give organizations a contextually-rich understanding of the threats that zero trust practices aim to root out. In the next few years, we may see a marriage of generative AI tools with zero trust playbooks that, for the first time ever, bring this long-sought security philosophy within reach.”

The Healthcare Connection

Zero trust initiatives may be particularly critical in the healthcare industry, where access to sensitive data could have catastrophic or even fatal consequences. In a 2023 National Institutes of Health article, The American Hospital Association advises senior hospital leaders not to view cybersecurity as purely a technical issue falling solely under the domain of IT departments. They indicated that it’s critical to see that cybersecurity measures are linked to patient safety. However, many organizations lack the cybersecurity knowledge or resources to adequately protect this highly sensitive data. In addition, health care organizations in many cases are likely to pay a ransom, due to the high value patient records have for malicious actors and cybercriminals. Stolen health records may sell for up to 10 times more than stolen credit card numbers on the dark web. The cost to heal a breach in health care is almost 3 times that of other industries—averaging $408 per stolen health care record versus $148 per stolen non-health record. Hospitals are already under time and monetary pressure, and this creates a bind for both providers and doctors who must balance access with security.

Currently many organizations take a network perimeter approach to cybersecurity; but as more ways to penetrate a network have been created, this strategy has become outdated. With the importance of healthcare data, it seems only natural that healthcare systems should consider taking a zero-trust approach.

Both Industry & Government Moving To Zero Trust

The government has both taken note and action. In President Biden’s 2025 budget request there is $13 billion allocated for cybersecurity spending for both defense and civilian agencies — up almost10% from 2024 — and significant chunks are set aside for zero trust initiatives. Specifically, the FY 2025 budget requests $470 million for the Continuous Diagnostics and Mitigation (CDM) Program, which supports zero trust implementation through a dashboard that offers a detailed view of the cyber landscape across the whole federal government. The Defense Department overall has offered leadership in demonstrating how to implement zero trust strategies. While the Pentagon is certainly ahead of the curve — with agencies like the Defense Information Systems Agency taking truly innovative approaches — many DoD components are still in the early stages of their journeys.

It’s been nearly 15 years since former Forrester analyst John Kindervag brought the zero-trust concept into the mainstream, advising organizations to “trust no one” and “verify everything.” But it’s been a long haul for zero trust. While respondents to a recent CyberRisk Alliance (CRA) survey of 205 security and IT leaders almost universally regard zero-trust as the right path forward, less than one-third have actually implemented zero trust in their organizations.

But even with the low rates of deployment, 62% of respondents believe that zero trust has grown in importance over the last 12 months. Because of that, a clear majority have plans to finalize a fully drawn-up zero-trust framework in 2024. Many respondents are looking for AI to come to rescue. They say AI has the potential to help them identify breach attempts faster, reveal patterns in user behavior and network activity, and foil convincing phishing attempts.

Despite foreseeable challenges, it is predicted that zero trust will continue to play a big part in federal cyber plans in 2025, and will be widespread, with nearly every agency having some part to play in implementing zero trust architecture within their systems and organizations. It’s also clear that industry will follow the federal government’s lead, with zero trust becoming the way of the future. The question is, when will that future arrive?

CYRIN’s Capabilities

At CYRIN, we understand AI and zero trust, including the cybersecurity implications. We continue to work with our industry partners to address major challenges such as the use of new paradigms like AI and zero trust. We set up realistic scenarios that allow them to train their teams and prepare new hires for the threats they will face. Government agencies have been using CYRIN for years, training their front-line specialists on the real threats faced on their ever-expanding risk surface.

For educators, we consistently work with colleges and universities both large and small to create realistic training to meet the environment students will encounter when they graduate and enter the workforce, including being at forefront of new and future uses of cybersecurity.

Unless you get the “hands-on” feel for the tools and attacks and train on these real-world scenarios, you just won’t be prepared for when the inevitable happens. The best time to plan and prepare is before the attack. Our training platform teaches fundamental solutions that integrate actual cyber tools from CYRIN’s labs that allow you to practice 24/7, in the cloud, with no special software required. Cyber is a team effort; to see what our team can do for you take a look at our course catalog, or better yet, contact us for further information and your personalized demonstration of CYRIN. Take a test drive and see for yourself!

You Might Also Read:

Space: The Last Cybersecurity Frontier?:

Image: Olivier Le Moal

If you like this website and use the comprehensive7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.