Zero Trust Architecture: Cybersecurity Panacea or Puzzle?


Posted on by Isla Sibanda

As cyberthreats increase in number and sophistication, the usual approaches to cybersecurity are becoming inadequate. The modern work environment has also shifted, leveraging hybridized infrastructures and a mix of remote and in-office employees. 

Protecting IT assets and cloud infrastructure has become essential but also more difficult than ever, making Zero Trust Architecture (ZTA) practical across a spectrum of businesses and industries, while also posing some pretty interesting questions along the way. 

What is Zero Trust Architecture (ZTA)?

The main feature of Zero Trust models, or frameworks, is (unsurprisingly) zero trust, meaning that every step in a digital interaction is checked. A breach is always suspected. The implicit trust of the past is gone. 

Verification and authorization are required for every connection and access request. They are based on all available data points, including “user identity, location, device health, service or workload, data classification, and anomalies.” Risk-based adaptive policies allow data protection without sacrificing business productivity and, as a result, businesses benefit from risk mitigation, ensure productivity, and the potential for effective, safe digital transformations. 

In this regard, the ‘no-nonsense approach’ of Zero Trust architecture upends older, perimeter-based models that inherently ‘trust’ everything within an organization’s network.

Zero Trust Use Cases

Organizations of all kinds often interact with outside agents, whether to hire help, work collaboratively with vendors or contractors, or engage with customers through digital experiences. However, allowing various degrees of access is a proposition with some peril.

As a result, use cases involve leveraging identity and access management (IAM) and multi-factor authentication (MFA) to identify users or devices and allow appropriate permissions. 

The number of IoT devices in use has more than doubled over the past five years to approximately 15 billion, and this trend will only continue growing. Furthermore, the proliferation of digital devices and technological transformations also come with increased safety risks. For example, AI and ML are double-edged swords—powerful tools that can be used for good or for bad, such as by cybercriminals who can now more easily launch attacks. 

Network Segmentation 

Segmentation allows organizations to enact individual security for each network segment. For example, IoT devices would each receive their own segment, also known as subnet, to limit lateral movement for bad actors, breaches, and malware. 

Zero-trust models are also increasingly used due to the shift in modern work culture. More employees than ever are working remotely, and Zero Trust architecture secures a company’s IT assets as workers move away from the office and receive access to a variety of devices. Unfortunately, one of the consequences of the viral pandemic was a virtual pandemic and a new culture of cyberthreats. 

Zero Trust Challenges and Shortcomings 

Zero Trust models can help businesses enact a modernized security posture allowing increased, real-time visibility, automated policies, and least-privilege principles via risk-based network accessibility mediated by just-in-time and just-enough access (JIT/JEA). 

However, many organizations are failing to implement Zero Trust frameworks due to actual or perceived problems with funding, IT integration, digital transformations, or simply because it may seem unnecessary—until a breach occurs. 

And while traditional ZTA methods are still more than effective, the rise of cloud automation presents a plethora of new challenges, especially because more and more organizations are looking to remove human bias, and ultimately, decision-making, from the equation. 

Additionally, those who pursue Zero Model transformations may face lengthy, difficult, or costly tech transitions, especially when facing integration issues with legacy applications. Experience and oversight are also needed to avoid leaving gaps if Zero Trust security is applied piecemeal. 

Potential Shortcomings and the Necessity for Properly Trained Employees 

No security feature is impregnable and Zero Trust risks include compromised user credentials or admin accounts. Elsewhere, attacks on local physical devices and trust broker security failures can introduce avenues for attacks.

Team members, regardless of their place in the organization hierarchy, must adapt. With the proliferation of AI and quasi-AI tools, we have to consider the notion that even low-level employees have to be somewhat knowledgeable about data science, further stretching the limits and constraints of ZTA and giving their superiors additional monitoring responsibilities during the implementation process.

Future Adoption for Zero Trust Frameworks

The future of cybersecurity architecture will involve increased adoption of Zero Trust and top-down implementation across governmental agencies, industries, and businesses. In fact, predictions project that 60% of organizations will employ Zero Trust architecture by 2025.

Zero Trust models are an exciting innovation in cybersecurity. With a rapidly evolving work environment, and advances in cybercrimes, it’s no surprise that this robust security technique is being more commonly adopted. Finally, as Zero Trust frameworks are more sophisticated than the conventional, perimeter-based models, it’s intriguing to imagine what the future of cybersecurity will bring.


Contributors
Isla Sibanda

Freelance Writer,

Security Strategy & Architecture

zero trust Cloud Infrastructure cloud security risk management Consumer Identity authentication Internet of Things

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs