The road to Zero Trust not necessarily paved with gold

Issue 5 2023 Editor's Choice, Access Control & Identity Management, Information Security

As discussed in my first article in this series, whilst Zero Trust must be the goal, there are a few potholes to navigate on the journey. Let me expand slightly more on these caveats, but also expose the greatest ally of Zero Trust.

Paul Meyer.

Peer to peer (P2P) technologies – prevalent in the late 1990s and very popular at that time – present another challenge in the road to Zero Trust.  These technologies were widely used across enterprise workforces and are known to be inadvertently capable of counteracting the principles of Zero Trust, particularly in Windows 10. Unless stringent Windows update sharing configurations are in place, P2P settings in this environment can inadvertently enable unauthorised lateral movement, exposing sensitive data.

Another potential weak point for Zero Trust implementations is the adoption of mesh network technology, where the trust model is built on keys or passwords and thus lacking the dynamic authentication necessary for robust Zero Trust setups.  Relying entirely on keys or passwords for access has been proven to be unsuccessful – all one has to do is to look at recent high profile breaches that highlight the hazards of this approach. Such protocols can easily be exploited by today’s highly tech savvy cyber criminals who appear to gain unrestricted access to sensitive resources with ease.

The ever expanding attack surface

Above are just some of the stumbling blocks to the implementation of Zero Trust, and if one adds the endpoint explosion through the internet of everything, the challenges are exponentially multiplied. For example, IoT is a major consideration for industries that already use a huge number of connected devices in their daily environments, as well as industries where this change is imminent.

There is not enough scope in this article to continue ad nauseam to outline the hurdles, and yet reveal how all can be conquered. But before I move to the positive, I must briefly touch on the all-important matter of regulatory compliance. New requirements are constantly emerging as legislators  struggle to keep pace with the latest trends and technologies, but the bottom line is that enterprises must also keep pace or risk the consequences of cyber breaches, namely reputational damage, hefty fines and operational downtime.

If, in reading this you are throwing your hands in the air and wondering just how much more difficult implementing Zero Trust can be, let me relieve some anxiety by noting that organisations tackling endpoint explosion can look to the cloud as a Zero Trust ally. Critical data can be taken off the endpoint and put in the cloud, making it impossible for cyber criminals who cannot get information from the endpoint if it is not there in the first place.

Connecting to the cloud can provide better protection and visibility into traffic as it replaces connecting to head office, for example for remote employees. Zero Trust can be enforced through the cloud without inserting a firewall in front of every resource. This approach reduces the opportunity for attack as it simplifies the architecture.

The only certainty is change

Just as technology constantly changes, cybersecurity also continually evolves. The sophistication of technology change keeps pace with that of cyber threats, with risk escalating in step with the amount of data requiring protection. As you are no doubt aware, we are creating more information than we ever have before, and conversely, less than we will in the future. This is where the cloud comes into the picture again.

The consumer space well and truly embraced the cloud, using it to store data about their entire lives – including their most sensitive personal information. Although businesses have been somewhat slower to adjust, there are changes in this pattern as companies are seen to be adopting the cloud en masse with 94% of enterprises utilising at least one cloud service and an estimated 83% of all enterprise workloads said to be in the cloud.

So, while the cloud has disrupted traditional cybersecurity, it has great ability to enable Zero Trust security in the era of information overload. It is only in the cloud that big data and analytics can be leveraged over huge networks of endpoints to predict and manage threats in real time. Only the cloud can be updated effortlessly and automatically with the latest security upgrades, keeping it a step ahead.  The more pervasive cloud becomes, the better it can mobilise to confront threats as soon as they emerge.

In conclusion

The path to Zero Trust is challenging, but with a clear vision, strong partnerships, and a commitment to security excellence, organisations can fortify defences against the relentless tide of cyber threats. To do this, businesses must embrace cutting-edge solutions that align seamlessly with their changing security needs, enabling them to remain resilient in the face of ever-evolving cybersecurity threats.

Paul Meyer is a Security Solutions Executive at iOCO Tech. He has over two decades of experience in IT Security technology covering application, identity, perimeter and endpoint security. He commenced his career as a Security Engineer Team Lead and has held senior positions with multiple security vendors and ICT service providers in South Africa.

In May 2022, Paul was appointed to the role of Security Solutions Executive at iOCO, where he is responsible for identifying, learning and bringing security solutions to market. The role is strongly focused on technically supporting the sales process and managing vendor relations.

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Gallagher Security releases Command Centre v9
Gallagher News & Events Access Control & Identity Management Integrated Solutions
Richer features, greater integrations, with the release of Gallagher Security’s Command Centre v9 security site management software designed to integrate seamlessly with various systems and hardware.

The human factor side of video management systems
Leaderware Editor's Choice Surveillance Risk Management & Resilience
A video management system (VMS) is central to, and the most vital element to any control room operation using CCTV as part of its service delivery, however, all too often, it is seen as a technical solution rather than an operational solution.

Get the basics right to win more business
ServCraft Editor's Choice Risk Management & Resilience
The barriers to entry in security are not high. More people are adding CCTV and fencing to their repertoire every year. Cowboys will not last long in a space where customers trust you with their safety.

Lock down your access control with Alcatraz AI
C3 Shared Services Healthcare (Industry) Access Control & Identity Management AI & Data Analytics
Alcatraz AI, represented in South Africa by C3 Shared Services, changes access control by harnessing the power of artificial intelligence and analytics at the edge, where facial recognition becomes the essential credential autonomously.

All aspects of data protection
Technews Publishing Editor's Choice Information Security Infrastructure AI & Data Analytics
SMART Security Solutions spoke to Kate Mollett, Senior Director, Commvault Africa, about the company and its evolution from a backup specialist to a full data protection specialist, as well as the latest announcements from the company.

Projections for 2024’s Advanced Threats Landscape
News & Events Information Security
Kaspersky Global Research and Analysis Team (GReAT) experts offer insights and projections for 2024 in the Kaspersky Security Bulletin, with a focus on the evolution of Advanced Persistent Threats (APT).

Global strength, local craft
Impro Technologies Editor's Choice
Impro Technologies is a resounding success story. Started in South Africa, the company remains true to its roots and still designs and manufactures its access control systems and solutions in the country.

Trellix detects collaboration by cybercriminals and nation states
News & Events Information Security
Trellix has released The CyberThreat Report: November 2023 from its Advanced Research Centre, highlighting new programming languages in malware development, adoption of malicious GenAI, and acceleration of geopolitical threat activity.

New generation of cyber-focused controllers
Gallagher News & Events Access Control & Identity Management Products & Solutions
The C7000 gives users an opportunity to leverage their hardware and firmware to build a platform designed to catapult their organisation into the future, with cybersecurity baked in from inception.

New T&A terminal features revolutionary AI technology
Suprema News & Events Access Control & Identity Management AI & Data Analytics
Suprema has launched BioStation 2a, the world’s first deep learning-based fingerprint recognition solution, providing powerful access control features and an improved ability to extract templates from low-quality fingerprints.