Every company has different cybersecurity priorities, but top-level trends tend to bubble up to the top among all organizations. The stage these organizations are at in those trends is what varies from company to company. Some organizations are at the cutting edge of their cybersecurity with the need to protect not just massive amounts of money for financial industries, but also personally identifiable information (PII), or simply their reputation. Others would rather buy a new excavator, turbine, or medical device that would directly affect their bottom line.
Most companies we talk to share Zero Trust as a major high-level security topic or strategy, and that discussion certainly continued during our attendance at the ISMG Fraud and Breach Summit.
Does Zero Trust truly exist, is it a road map, or is it simply a belief or concept that helps formulate our thinking around how security should be implemented?
One vendor’s keynote argued that Zero Trust doesn’t exist. To truly and completely have Zero Trust in the cybersecurity industry, you would need to completely erase, unplug and shut down a system, but we all know that’s not logical. This is why I believe that Zero Trust is closer to a concept to strive for, but not one we can fully achieve without making your systems unusable. With that being said the mythology of only giving “trust” to the people, software robots or machines that need it is something every company should strive for. We should no longer offer wide levels of access just because it's easier, or because they are system admins and they are “trusted individuals.”
Alongside ISMG’s Nick Holland, SSH.COM CTO Markku Rossi co-hosted a special intimate lunch with many of the security leaders that are making critical cybersecurity-related decisions for their companies. As part of the event, each participant ranked their “Zero Trust Readiness” from 1 to 10, with 10 meaning having a fully Zero Trust environment. The answers didn’t come as a surprise to us, but with an average answer in the 2-4 range, maybe it should.
Zero Trust has been a concept for at least one and a half years. So why aren’t some of the most advanced and cutting edge companies when it comes to cybersecurity still at such low levels of Zero Trust readiness? We believe it's for a few reasons.
- First, it’s almost impossible to completely define Zero Trust holistically across all companies or industries.
- Second, vendors are doing a great job trying to cover the most critical levels of access, but technologies are so widespread, with different access capabilities, functionality, and protocols, that it’s difficult to get full Zero Trust coverage.
- Lastly, companies struggle to narrow down a starting point without getting stuck in the weeds of planning.
Zero Trust needs to be easy to set up, user adoptable, automated and dynamic like the new environments we are seeing these days. There are already opportunities to act now in advancing your Zero Trust journey. Zero standing privileges (ZSP) and Just in Time access (JIT) is a part of the overwhelming concept of Zero Trust that companies can act on now. JIT and ZSP provide access to only those users that should have it only when they should have it and also make sure that the privileges aren’t always active. Access shouldn’t be on all the time, the credentials should be short-lived, and the end users should never be given visibility to those credentials to prevent accidental or intentional bypassing of access restrictions.
Although as a whole we have a long way to go with our overall Zero Trust readiness, I enjoyed seeing the passion, acceptance, eagerness to learn, and wiliness to continue to push cybersecurity forward. I want to personally thank those that spent time with us at the ISMG event and look forward to engaging with you and anyone else that shares that same passion in the future as you all progress along your Zero Trust and zero standing privileges journey.
PS: Our Zero Trust PAM project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 881221.
