What is zero trust?It depends on what you want to hear


The confusion about the true meaning and purpose of zero trust makes it more difficult for people to implement these ideas in practice. Supporters basically agree with the overall goal and purpose behind the phrase, but busy executives or IT administrators who have other things to worry about can easily go astray. The final security protection implemented is only to strengthen the old methods instead of introducing new methods. .

“For the past 20 years, what the security industry has been doing is just adding more bells and whistles to the same methodology-such as artificial intelligence and machine learning,” Paul Walsh, founder and CEO of Zero Trust Anti-Phishing Company Say meta certificate. “If it’s not zero trust, then no matter what you add, it’s just traditional security.”

However, cloud providers in particular are able to integrate zero trust concepts into their platforms and help customers adopt these concepts in their own organizations. But Phil Venables, Chief Information Security Officer of Google Cloud, pointed out that he and his team spent a lot of time discussing with customers the true meaning of zero trust and how they can apply these principles to their Google Cloud use and other purposes.

“There is a lot of confusion there,” he said. “Customers said,’I thought I knew what zero trust is. Now everyone describes everything as zero trust, and I know less and less about it.'”

In addition to agreeing on the meaning of the phrase, the biggest obstacle to zero-trust proliferation is that most of the infrastructure currently in use is designed under the old moat and castle network model. There is no easy way to transform these types of systems to achieve zero trust, because the two methods are fundamentally different. Therefore, the idea behind implementing zero trust anywhere in the organization may involve significant investment and the inconvenience of rebuilding legacy systems. These are the types of projects that face the risk of never being able to complete.

Despite the Biden administration’s plans, this makes the implementation of zero trust in the federal government — a hodgepodge of the government’s use of vendors and legacy systems, requiring a large investment of time and money to overhaul — particularly daunting. Jeanette Manfra, a former assistant director of cybersecurity at CISA, joined Google at the end of 2019. He witnessed the differences from government IT to the technology giant’s own zero-trust-focused internal infrastructure.

“I come from such an environment. In this environment, we have only invested a lot of taxpayers’ money to protect very sensitive personal data and task data, and see the friction you experience as a user, especially when paying more attention to In a safe institution,” she said. “You can have more security with The better user experience surprised me. “

This is not to say that zero trust is a security panacea.Security professionals (known as “red teams”) who are paid to invade the organization and discover its digital weaknesses have Start learning What it takes to break into a zero trust network. And in most cases, it is still easy to simply take into account the concept of zero trust in the parts of the target network that have not yet been upgraded.

“A company that migrates its infrastructure to the outside and puts it in the cloud of a zero-trust provider will shut down some traditional attack paths,” said long-time red team member Cedric Owens. “But to be honest, I have never worked in a completely zero-trust environment or a red team.” Owens also emphasized that although zero-trust concepts can be used to substantially strengthen an organization’s defenses, they are not foolproof. He pointed out that cloud misconfiguration is just one of the weaknesses that companies may unintentionally introduce when transitioning to a zero-trust approach.

Manfra stated that it takes time for many organizations to fully grasp the benefits of a zero-trust approach, rather than the methods they have relied on for decades. However, she added that the abstract nature of zero trust has its advantages. Thinking about concepts rather than specific products can provide flexibility and potential longevity that specific software and tools do not have.

“Philosophically, it seems very durable to me,” she said. “Want to know what and who is in contact with what and who in your system is always useful for understanding and defense.”

More exciting connection stories


Source link