Thank you for your interest. We Will Contact You Soon...
Your email ID is already registered with us.
Can We Achieve Zero Trust?
Risk and Compliance - February 18, 2022
When the pandemic hit and it became essential to shift to a remote workforce, companies around the world
tried their best to keep the lights on. They had to reimagine their business processes, lay down the
responsibilities to their workforce and realign the necessary tools to support the remote 'working
environment'. Threat actors saw this opportunity and there was a massive surge in cyberattacks. In an
August 2020 report, Interpol accessed that cybercrime has shifted significantly away from people and
small enterprises and toward large organizations, governments, and essential infrastructure. Between
February and March 2020, the agency observed a 569 percent increase in harmful registrations, including
malware and phishing, and a 788 percent increase in high-risk registrations.
This meant that you had to ensure business continuity while keeping the security measures intact. For
many organizations, it proved to be a very difficult task. Now that the dust has settled and work is
returning to normal, firms around the world are looking for new measures and models-one that is fully
proof and future ready. In this blog, we will look at one such security model, known as Zero Trust
security. We will access its attributes, the challenges it addresses and understand its applicability to
present and future threats.
What is Zero Trust?
Traditionally, computer networks used a "trust but verify" security architecture- this meant that any
person or device was considered trustworthy if it was authenticated. That worked well for early computer
networks because companies could effectively regulate the devices and connections, as they all operated
from a single central place (or on-premises)
The proliferation of telecommuting and mobile devices shifted the threat environment. Today, IT teams
must strike a balance between network security and the requirements of a mobile workforce. This led to
the need for a new paradigm to assure end to end device and network security, since hackers discovered
that once they had "access," there was no resistance to looking at and stealing whatever they want. This
need led to the Zero trust concept.
Zero trust was coined in 2010 by Jon Kindervag, then-vice president and lead analyst at Forrester
Research. It is based on the principle of "never trust, always verify." The network does not
differentiate between users, packets, interfaces, or devices based on their origin. Each individual
begins with the same amount of trust and must establish what or who they are in order to acquire access
to vital assets. Users get access to only the information necessary to fulfill the request.
Zero Trust Principles
Zero Trust is guided by the following principles:
1. Never Trust, Always Verify — Consider each user, device, workload, and information to be
untrustworthy. Using dynamic security rules, authenticate and explicitly authorize each user to the
least amount of authority necessary.
2. Assume Breach - Consciously operate and protect resources as though an opponent has a
presence in the surroundings. By default, deny all users, devices, data flows, and requests for access.
All adjustments, resource requests, and network traffic should be logged, inspected, and continually
monitored in the event of suspicious activity.
3. Clearly Verify — Access to all resources must be consistent and safe, utilizing different
authentication methods characteristics (dynamic and static) to calculate confidence levels for relevant
Zero Trust Security: Key Objectives
1) Do Away With The Notion of Trust in a Network: There are no trustworthy sources when there is
no trust. Each packet transmitted over a network must be permitted, authenticated, and encrypted. By
treating all communication equally (whether within or outside the network) and constantly authenticating
the user, hackers have a far more difficult time breaching network security.
2) Implement Vital Preventive Security Measures: Zero trust is a strategy; in order to establish
a network around this architecture, IT departments must design their networks with a few crucial
preventive security measures in mind.
This raises critical issues with identity and device verification: Is the person or device connected
indeed who they claim to be? Is the device sufficiently protected? Is there any odd behavior taking
place? These are the types of questions that a system of zero trust will address. When developers want
to increase the security of their apps, they generally turn to multi-factor authentication (MFA), which
requires two (or more) forms of authentication in addition to the standard username and password login.
Additionally, zero trust networks ensure that users and devices always provide the least amount of
access feasible. Authorization is restricted to the minimum amount necessary to execute an activity.
This restricts the attacker's mobility beyond the break-in point in the event of an attack.
By approaching Information security in this manner, it becomes significantly simpler to contain
security events. There is a reduced chance of getting hacked even by using Bring Your Own Device (BYOD)
devices or insider attacks. Micro-segmentation is a technique that allows engineers to leave the
traditional "castle and moat" attitude associated with conventional network architecture, which places
most of the protection on the network perimeter. Rather than that, smaller zones are built within the
typical perimeter to further isolate network segments by device, purpose, or id. For example by
compartmentalizing security beyond the login page, the attacker does not have complete control over the
contents of the system in the event of a break-in.
3) Enables Real-time Breach Response Tactics.
While the measures described above significantly increase network security, break-ins do occur. To
contain the same network administrators should adopt real-time monitoring tools to increase the speed
with which they respond to incoming threats.
Along with monitoring, automatic remediation is critical. A computer can operate at a quicker rate than
a human, therefore many zero trust systems include some form of an automated system for detecting,
investigating, remediating, and preventing more attack attempts.
Obstacles to Zero Trust Implementation
While we have discussed the attributes of Zero Trust, including its principles, the main focus of this
blog is to analyze its applicability in the present age. While we praise its benefits, it is also
worthwhile to analyze its limitations and separate hype from reality.
While many of the Zero Trust procedures are sound and rational, many become difficult to attain due to
the following challenges that practically every business faces:
1. Outdated Apps
Technology is always evolving, and the apps of yesterday might be outdated tomorrow. Internal
application redesign, recoding, and redeploying may be costly and disruptive. To pursue these sorts of
activities, there must be a compelling business case. It is not always viable to add security settings
to existing apps to make them zero-trust aware. Unlikely, your existing applications do not yet support
As a result, depending on your reliance on bespoke apps, this will influence whether or not you can
embrace zero trust in those processes, as well as the associated work and expense. This is especially
true when programs are not micro perimeter compliant or lack the appropriate application programming
2. Legacy Systems
Most likely, legacy programs, infrastructure, and operating systems are not zero-trust aware. They lack
a concept of least privilege or lateral mobility, and they lack dynamic authentication models that adapt
to changing contexts.
To allow zero trust implementations, a layered—or wrapper—approach is required. However, a layered
approach encapsulates external access to the resource and allows it to interact with the system only
occasionally. This undermines the zero-trust idea. You cannot always monitor the behavior of a program
that is incompatible. While you may scrape screens, capture keystrokes, and monitor logs and network
traffic for potentially malicious activities, your response time is restricted. You can restrict the
legacy application's external interaction to the user or other resources—but not the runtime itself.
This restricts zero trust's scope, and depending on the features of the old application, companies may
discover that monitoring network traffic is impossible owing to stringent encryption standards.
3. Technologies Based on Peer-To-Peer Collaboration
Beginning in 2015, Windows 10 included a peer-to-peer mechanism that enables peer computers to exchange
Windows Updates to conserve Internet traffic. While some companies disable this feature, others are
unaware of its existence. This favoured lateral mobility between unregulated systems. While there are no
known vulnerabilities or exploits for this functionality, it does expose communications that violate the
zero-trust concept. There should be no lateral movement that is not authorized—even within a given micro
Additionally, you will discover that protocols such as ZigBee or other mesh network technology run in
direct opposition to zero trust. They function via peer-to-peer communication, and the trust model is
exclusively dependent on keys or passwords, with no dynamic models for authentication modification.
Therefore, if you want to adopt zero trust, carefully explore if your company utilizes peer-to-peer or
mesh network technologies, including those used in wireless networks. These are significant impediments
to implementing the access and micro perimeter restrictions necessary for zero trust.
Even for enterprises capable of building a new data centre, implementing a role-based access model, and
fully embracing zero trust, digital transformation concerns might make the idea difficult to adopt.
The digital revolution facilitated by Cloud, DevOps, and IoT does not support the zero-trust paradigm,
as segmentation and enforcement of the notion require extra technologies. This can be too expensive for
big deployments and may even impair the solutions' ability to interact effectively with multiple user
access. If you have any doubts, examine the storage needs and license fees associated with logging every
event for dynamic access to all resources used in the project.
While some may argue that the Cloud embraces segmentation and zero trust models, the truth is that it
all relies on how the Cloud is used. Straightforward cloud transfer of your raised floor does not imply
zero trust. If you construct a new application as a service in the cloud, it can surely embrace zero
However, just migrating to the Cloud as part of your digital transformation does not imply that you
will automatically receive the benefits of the mandated zero trust paradigm. And, if you want to accept
zero trust and include it into your strategy, you can be assured that it will not function effectively
as a layered approach.
Can We Truly Achieve Zero Trust?
To resolve the Zero Trust concerns that have plagued cybersecurity for over a decade, you must flip
your mindset. This means, prioritize strategy first, and technology second. Recognizing that identity,
device integrity, access control, and continuous inspection are all necessary to accomplish Zero Trust
is far different from buying and deploying technologies that address a single cybersecurity issue
without regard for the larger picture of a strategic approach. Cybersecurity should always be aligned
with business objectives, and practitioners should understand that their purpose is not to identify bad
actors or prevent the next zero-day assault, but to always keep the business functioning, even when
confronted daily with a barrage of cyber-attacks.
In the current state of Cyber world, the success of a firm is contingent upon its capacity to safeguard
its devices and network. Zero trust is the logical conclusion. However, that discussion is meaningless
until we understand how to implement it, and therein is the rub: There are various misconceptions about
what zero trust truly entails.
At its heart, zero trust is a security framework that employs layered security measures and protections
to ensure that no one user, program, or device possesses the network's "trust." Everything is validated
and only the most restricted access is granted.
The following are some of the most fundamental considerations that every attacker will consider while
intending to hack an IT system:
Where does a trustworthy network come to an end?
How many systems can this trusted device access?
What can I do with this trustworthy username and password combination?
What are the similarities between these questions? They are all predicated on the idea that an
implicitly trusted component can confer a demonstrable offensive advantage on an attacker.
Attackers do get an advantage when they can take control of an implicitly trusted machine and gain
access to other systems without performing further security checks. On the other hand, Zero Trust
negates this benefit by eliminating the idea of trust from decision-making related to information access
and interaction with digital assets.
Surya Jatavallabhula is a Cyber Security and Risk professional with an extensive history in Banking,
and Education sectors. Surya has played various roles under security domains including CISO, Security
Information and Cyber Security, DevSecOps, Risk Management, Data privacy, Enterprise Security
Data Architecture, Technology Risk, and Portfolio Management after graduating in MS Risk Management from
of Business, New York University, U.S and M.B.A from Leeds University Business School, U.K.
experience and provide personalized recommendations. By continuing to use our website, you agree to our