Check out all the on-demand sessions from the Intelligent Security Summit here.
CISOs today find their agendas dominated by the need to reduce the complexity and costs of securing multicloud infrastructure while consolidating tech stacks to save on costs and increase visibility. That makes zero trust a priority. Seventy-five percent of security leaders say their cybersecurity systems and tech stacks are too complex and costly to operate. That’s why CISOs are relying more and more on zero-trust initiatives to simplify and strengthen their enterprises’ cybersecurity postures and secure every identity and endpoint.
More than a third of CISOs (36%) say they have started to implement components of zero trust, while another 25% will start in the next two years, according to PWC’s 2023 Global Digital Trust Insights Report. The drive to simplify cybersecurity with zero trust is driving one of the fastest-growing markets in enterprise IT. It’s projected that end-user spending on zero-trust network access (ZTNA) systems and solutions globally will grow from $819.1 million in 2022 to $2.01 billion in 2026, achieving a compound annual growth rate (CAGR) of 19.6%. Global spending on zero-trust security software and solutions will grow from $27.4 billion in 2022 to $60.7 billion by 2027, attaining a CAGR of 17.3%.
Defining zero-trust security
Zero-trust security is an approach to cybersecurity that does not assume any user, device or system is completely trusted. Instead, all users and systems, whether inside or outside of the organization’s network, must be authenticated, authorized and continuously validated for security configuration and posture in order to gain or retain access to applications and data. Under zero trust, there’s no longer any reliance on a traditional network edge. Gartner’s 2022 Market Guide for Zero-Trust Network Access provides valuable insights into what CISOs, CIOs and their teams need to know about zero-trust security today.
In 2008, John Kindervag at Forrester Research started looking into security approaches focused on the network perimeter. He saw that the existing trust model, which labeled the external interface of a legacy firewall as “untrusted” and the internal-facing interface as “trusted,” was a significant contributor to data breaches.
Intelligent Security Summit On-Demand
Learn the critical role of AI & ML in cybersecurity and industry specific case studies. Watch on-demand sessions today.
After two years of research, he published a report in 2010 titled No More Chewy Centers: Introducing the Zero Trust Model of Information Security, courtesy of Palo Alto Networks. This report marked the beginning of the zero-trust security model, revolutionizing security controls with a granular and trust-independent approach. It’s an excellent read with insights into how and why zero trust started.
Kindervag, Dr. Chase Cunningham, chief strategy officer (CSO) at Ericom Software, and other cybersecurity industry leaders wrote The President’s National Security Telecommunications Advisory Committee (NSTAC) Draft on Zero Trust and Trusted Identity Management. It’s a thorough document and worth a read as well. The draft defines zero trust as “a cybersecurity strategy premised on the idea that no user or asset is to be implicitly trusted. It assumes that a breach has already occurred or will occur, and therefore, a user should not be granted access to sensitive information by a single verification done at the enterprise perimeter. Instead, each user, device, application, and transaction must be continually verified.”
NIST800-207 is the most comprehensive standard for zero trust, designed to flex or scale to meet the threats that organizations of every size face today. The NIST standard ensures compatibility with elements from Forrester’s ZTX and Gartner’s CARTA frameworks, making it the de facto standard in the industry. By adhering to this standard, organizations can enable a cloud-first, work-from-anywhere model while safeguarding against malicious attacks. Leading zero-trust vendors, including CrowdStrike, are taking a leadership role in creating NIST-compliant architectures and platforms.Vendors that have created and implemented zero-trust applications and platforms that comply with the NIST framework can demonstrate their compliance by proving there is no need to change the architecture, even if a CIO or CISO chooses to switch to a different vendor. Source: Zero Trust Security Explained: Principles of the Zero Trust Model, CrowdStrike, Kapil Raina, October 17, 2022
Zero trust’s most surprising result
VentureBeat recently had the opportunity to interview Kindervag, who currently serves as senior vice president, cybersecurity strategy and ON2IT group fellow at ON2IT Cybersecurity. Kindervag is also an advisory board member for several organizations, including the offices of the CEO and president of the Cloud Security Alliance where he is a security advisor.
Kindervag says that the most surprising results zero-trust initiatives and strategies deliver are streamlining audits and ensuring compliance. “The biggest and best unintended consequence of zero trust was how much it improves the ability to deal with compliance, and auditors and things like that,” he told VentureBeat during the interview. He continued by relating something the Forrester client at the time had said: that “that the lack of audit findings and the lack of having to do any remediation paid for my zero-trust network, and had I known that early on, I would have done this earlier.”
Start simple with zero trust to get the best results
“Don’t start with the technology; start with a protect surface,” Kindervag advised during our interview. CISOs and CIOs tell VentureBeat that their zero-trust initiatives and strategies can be affordable as well as effective. As Kindervag advises, starting with the protect surface and identifying what’s most important to protect simplifies, streamlines and reduces the cost of zero-trust initiatives.
Kindervag concurs with what CIOs and CISOs have been telling VentureBeat over the last 18 months. “I tell people there are nine things you need to know to do zero trust: you know, the four design principles, and the five-step design, methodology design, and implementation methodology. And if you know those nine things, that’s pretty much it, but everybody else tends to make it very difficult. And I don’t understand that. I like simplicity,” he says.
Where zero-trust strategies are delivering results
Taking a simplistic approach to zero trust and concentrating on the protect surface is solid advice. Here are the areas where enterprises are getting results from their zero-trust initiatives and strategies in 2023 as they heed John Kindervag’s advice:
Prioritize managing privileged access credentials at scale
“Eighty percent of the attacks, or the compromises that we see, use some form of identity/credential theft,” said CrowdStrike co-founder and CEO George Kurtz at CrowdStrike’s Fal.Con event. That’s why privileged access management (PAM) is another critical component of zero-trust security. PAM is a security system designed to manage privileged users, credentials and access to data and resources. Organizations create a database that stores privileged user information, such as usernames, passwords and access privileges. The system uses the database to control and monitor privileged-user access to data and resources.
Enterprises are shifting from traditional on-premises systems to cloud-based PAM platforms because of their greater agility, customization and flexibility. CISOs’ need to consolidate their technology stacks is also playing a role in the convergence of identity access management (IAM) and PAM platforms. It’s expected that 70% of new access management, governance, administration and PAM deployments will be on cloud platforms.
Pilot and migrate to more secure access controls, including passwordless authentication
Cyberattackers greatly value passwords that allow them to impersonate legitimate users and executives and freely move across enterprise networks. Their goal is to move laterally once they’re on the network and exfiltrate data. “Despite the advent of passwordless authentication, passwords persist in many use cases and remain a significant source of risk and user frustration,” write Ant Allan, VP analyst, and James Hoover, principal analyst, in the Gartner IAM Leaders’ Guide to User Authentication.
Gartner further predicts that by 2025, more than 50% of the workforce and more than 20% of customer authentication transactions will be passwordless, significantly increasing from less than 10% today. Cybersecurity leaders need passwordless authentication systems that are so intuitive that they don’t frustrate users, yet provide adaptive authentication on any device.
Fast Identity Online 2 (FIDO2) is a leading standard for this type of authentication. Expect to see more IAM and PAM vendors expand their support for FIDO2 in the coming year. Leading vendors include Ivanti, Microsoft Azure Active Directory (Azure AD), OneLogin Workforce Identity, Thales SafeNet Trusted Access and Windows Hello for Business.
Ivanti’s Zero Sign-On (ZSO) solution, a component of the Ivanti Access platform, is unique because it eliminates the need for passwords by providing passwordless authentication on mobile devices. Ivanti has invented an authentication technology that relies on FIDO2 authentication protocols. ZSO also implements a zero-trust approach, where only trusted and managed users on sanctioned devices can access corporate resources.
Ivanti’s unified endpoint management (UEM) platform is at the center of the solution, creating the foundation for the platform’s end-to-end, zero-trust security approach. As secondary authentication factors, Ivanti uses biometrics, including Apple’s Face ID.
Combining passwordless authentication and zero trust, ZSO exemplifies how vendors are responding to the increasing demand for more secure authentication methods.
Monitor and scan all network traffic
Every security and information event management (SIEM) and cloud security posture management (CSPM) vendor aims to detect breach attempts in real time. A surge in innovations in the SIEM and CPSM arena makes it easier for companies to analyze their networks and detect insecure setups or breach risks. Popular SIEM providers include CrowdStrike Falcon, Fortinet, LogPoint, LogRhythm, ManageEngine, QRadar, Splunk and Trellix.
Enforce zero trust at the browser level to simplify and scale across an enterprise
CISOs are getting good results from using web application isolation techniques, which air-gap networks and apps from malware on user devices by using remote browser isolation (RBI). This is different from traditional web application firewalls that protect network perimeters. IT departments and cybersecurity teams use this method to apply granular user-level policies to control access to applications and limit the actions users are allowed to complete on each app.
>>Don’t miss our special issue: The CIO agenda: The 2023 roadmap for IT leaders.<<
IT departments and cybersecurity teams use these policies to control access and actions for file uploads and downloads, malware scanning, data loss prevention (DLP) scanning, clipboard actions, and data entry in text fields. Application isolation helps to “mask” the application’s vulnerabilities, thereby protecting against the OWASP top 10 web application security risks. For file policies, taking steps such as limiting allowed file types, verifying file types and removing unnecessary metadata can avoid file-upload attacks. IT departments can also set filesize limits to prevent denial of service attacks.Ericom leverages its extensive experience in remote browser isolation (RBI) in its web application isolation (WAI) technique, aimed at helping small and medium businesses with their zero-trust security initiatives and frameworks. Source: Ericom
Get quick wins in microsegmentation, and don’t let implementation drag on
Microsegmentation is a security strategy that divides networks into isolated segments. This can reduce a network’s attack surface and increase the security of data and resources. Microsegmentation allows organizations to quickly identify and isolate suspicious activity on their networks. It is a crucial component of zero trust, as outlined in NIST’s zero–trust framework.
Of the many microsegmentation providers today, the most innovative are Airgap, Algosec, ColorTokens, Prisma Cloud and Zscaler Cloud Platform. Airgap’s Zero Trust Everywhere solution adopts a microsegmentation approach that treats each identity’s endpoint as a separate entity and enforces granular policies based on contextual information, effectively preventing any lateral movement.AirGap’s Zero Trust Everywhere solution includes an autonomous policy framework that enforces business policies as devices enter and leave the network, reducing the attack surface on enterprises’ private applications. Source: Airgap.io
Self-healing endpoints deliver solid cyber-resilience results and are worth considering as part of a zero-trust initiative
Enterprises need to improve the cyber-resilience of their endpoints by adopting self-healing endpoint platforms. The leading cloud-based endpoint protection platforms can monitor devices’ health, configuration and compatibility while preventing breaches. Leading self-healing endpoint providers include Absolute Software, Akamai, BlackBerry, CrowdStrike, Cisco, Ivanti, Malwarebytes, McAfee and Microsoft365.
Absolute Software’s approach to endpoint resilience is a good fit for many enterprises looking to increase their cyber-resilience. Absolute’s self-healing technology provides a hardened, undeletable digital tether to every PC-based endpoint — a unique approach to endpoint security. Built into the firmware of over 500 million endpoint devices, this technology monitors the health and behavior of critical security applications using proprietary application persistence technology. Forrester has recognized the self-healing capabilities of Absolute’s endpoint security in a report titled the The Future of Endpoint Management.
Absolute has also capitalized on its insights from protecting enterprises against ransomware attacks in its Ransomware Response solution.
CISOs tell VentureBeat that cyber-resiliency is just as critical to them as consolidating their tech stacks, with endpoints often the weakest link. The telemetry and transaction data that endpoints generate is one of the most valuablesources of innovation the zero-trust vendor community has today. Expect to see further stepwise use of AI and machine learning to improve endpoint detection, response and self-healing capabilities.
Zero-trust security is a cybersecurity strategy that assumes all entities on a network are not trusted, even those within a network. It is a fundamental shift from traditional network security models that rely on perimeter defense and trust all internal traffic. Zero-trust security protects an organization’s data and systems by authenticating users, devices and applications before granting access to the network.
Organizations can use several strategies to succeed with their zero-trust security initiatives in 2023. These strategies include implementing identity access management (IAM) systems, privileged access management (PAM) solutions, microsegmentation, self-healing endpoints and multifactor authentication. Adopting these strategies, organizations can ensure that their data and systems are secure, and quickly detect and respond to threats.
Implementing a zero-trust security strategy is essential for any enterprise that wants to protect its data and systems from malicious actors. By adopting the strategies outlined in this article, organizations can ensure a successful zero-trust security strategy in 2023 and beyond.
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.