Roman poet Juvenal once said, “Quis custodiet ipsos custodes?” which translates from Latin to “Who will watch the guards themselves?” 1
The model for cybersecurity is so archaic it almost dates to the medieval era. It might be absurd to hear, but many agree that it’s true. Currently, organizations have adopted a castle-like security approach where everything internal to the network is considered trusted, and everything external to the network is untrusted.4 However, the weakness with this model lies in its biggest blind spot: internal threats. In fact, according to Bank Info Security, “40% of breaches originate from authorized users.” 4
While these strategies were once effective at detecting or preventing infiltrators from disrupting networks, prevailing threats are on the rise forcing organizations and their users to react with resolute security priorities. In particular, Zero-trust Network Access (ZTNA).
What is Zero-trust Security?
Zero-trust is a framework that removes implicit trust, regardless of the level of privilege of the user.4 As opposed to the old mantra of “trust, but verify,” Zero-trust enforces that we “never trust, always verify.” 3 In this regard, organizations will benefit from improved security posture by monitoring users, devices, and applications at the gateway, reducing the need to expend time and resources on investigations. As stated in a research study conducted by Forrester Consulting, “Zero-Trust solutions can help to enhance security and reduce the chance of a data breach by 50 percent.” 5
How Does it Work?
Zero-trust utilizes three lines of defence to help prevent security breaches and limit the blast radius of malicious attacks:
Verify Constantly
Since many of today’s devices rely on mobile retrieval and storage of data via cloud services, these devices are threat vectors to networks.7 As a result, Zero-trust works by assuming breaches and verifying, regardless of whether the device belongs to a business workstation or personal device.1,3 Most notably, verifying with Multi-Factor Authentication (MFA) is significant to Zero-trust to eliminate the risks involved with single sign-on verification. 4
Limit the Scope of a Breach
The basis of Zero-trust architecture is Network Segmentation. No better said than by ITPro, “Systems and devices must be segregated according to the types of data they process and the access they permit. This can then limit the reach of a hacker once they get into the network.” 6 Effectively containing cybercriminals means forcing them to take more risks, and Network Segmentation does just that.
Further, Zero-trust minimizes lateral attacker movement by using the Least Privilege Access model, where users are assigned no greater level of access required to do their job.6 In the incident that a breach occurs, cybercriminals will be limited in their scope of impact due to privilege constraints.
Automate Prevention, Detection and Response
Zero-trust relies on data collection to produce measurable action. However, logging security breaches is cumbersome because it generates heaps of data that is challenging for security teams to track. Machine learning and AI can mitigate this by emphasizing threat indicators that would otherwise go unnoticed.6 In other words, if anomalies in usage patterns occur, AI will flag these events for cyber-defenders to more swiftly contain than usual.6
Moving forward, Zero-trust will reimagine the “castle framework” by equipping its army with better protection to handle infiltrators entering from anywhere, rather than reinforcing the perimeter with defences.
References
1. Nolle, T. B. T. (2022, January 17). Zero trust is hard but worth it. Network World. Retrieved January 19, 2022, from https://www.networkworld.com/article/3647290/zero-trust-is-hard-but-worth-it.html
5. Noureen, R. (2022, January 13). Zero trust helps drive 50% lower chance of Data Breach. Petri IT Knowledgebase. Retrieved January 19, 2022, from https://petri.com/microsoft-zero-trust-data-breach-reduced-risk
Zero-trust framework makes more sense to me than the old system. Though hackers can still attack individuals to break into the system, their scope of damage is limited.
Hi,
MFA is an interesting topic as it is something many individuals are often annoyed about, due to the extra steps needed to access their accounts. Often times, individuals try to opt out of this extra authentication until they get their account accessed by an unauthorized individual. MFA often requires one or more additional verification factors, which decreases the likelihood of a successful cyber attack. When users are required to identify themselves by more than a username and password, there is increased confidence that an organization or an individual will stay safe from cyber attacks and cybercriminals. I personally feel safer when I have an account that requires more than just my username and password to log in, even if it requires more time to do so!
I feel like using Zero trust security is better because it protects our data and is it works efficiently by resolving the network errors, it keeps a track of our logins and everytime we log in it asks us to authenticate to make sure its us. It finds the vulnerable paths and protects it and personally I would enroll in such a protection because I would rather waste time to try to log into my credentials with a MFA rather than getting stressed if my account and data is safe and if the information is not accessed by others.
Great post!
I feel that zero trust would resolve many of the security issues involved with users and would greatly reduce the breaches associated, but the problem is getting people on to tools like MFA. As it seems like some users don’t want to go against the hassle of constantly verifying themselves. Like discussed in class many people hate MFA on certain ucalgary applications and if applied broadly to the general public it seems like a lot of people would not use or avoid services that force MFA. Although zero-trust security will increase security by a lot, I’m not sure how widely it will be adopted by consumers. Good post however, and it leads quite nicely into our next topics on Identification, Authentication, and Authorization.
This framework seems to be trustworthy in terms of authentication, validation and also verification. In that sense, I think it is less vulnerable compared to other authentication services. I really admire the involvement of AI and ML in handling in the data breaches, at the same time would propose the involvement of AES/ RSA. It now depends how customers could be encouraged in enabling this form of authentication in their devices.
Zero-trust is a really interesting concept. Overall, the impression I get is that it entails switching from a castle model to something modeled on a high-security institution like the CIA with multiple levels of security clearance. It also seems to me like the term, “zero-trust,” is something of a misnomer. It is more like “minimized trust.” This language gives me the impression that cybersecurity is often framed in absolute, rather than probabilistic terms. The point is not to completely eliminate breaches. That is probably impossible. The point is really to make breaches highly unlikely. I wonder if this kind of framing has an impact on the quality of cybersecurity strategies and technologies. All that being said, no-trust sounds quite promising.
Interesting post! I’d never actually heard of modern computer structures being related to a castle like that, but it totally makes sense. Zero-trust sounds like an interesting architecture, especially for reducing attacks based on scaling up user privileges, and if those and other insider based attacks truly make up nearly half of all breaches, we could definitely stand to improve security by adopting it. One problem I can definitely see is people not wanting to go through the process of verification so often – we can see how people feel about just having to use two-factor once a month, but if it gains commercial merit I can see larger companies and government organizations being the first to use it consistently.
Hey, great post. I liked how you highlighted a new security feature that I have never heard of. I think this can be a great benefit to organizations and individuals alike. however, as Nguyen mentioned that individuals can often be targeted to extract their necessary information and breach security protocols. Nonetheless, zero trust takes on a pessimistic approach to security and I think it can work wonders in the realm of cyber security. However, I have a question for you. How do you think zero trust would impact the trust of those who are always subjected to it? I am sure this would generate some hostility as everyone is viewed as a potential aggressor. Unless a fine balance could be achieved to circumvent the two aspects.
After reading this post, I am able to see why zero trust is the way to go. but I wonder if this is going to slow things down, would the constant need to reverify one’s self make things take longer? But I guess if it does, it would benefit applications that prioritize security more than speed.