Four common zero-trust misconceptions derailing cybersecurity success

More than 10 years ago, I published a paper introducing the zero-trust model of information security. I’m encouraged that today it has become fundamental across all industries — global Forrester research found that 72% of security decision-makers at larger organisations plan to embark on a zero-trust initiative or are already doing so. In Australia, the federal government has even set a target to have a ‘zero-trust culture’ embedded across the Australian public service by 2030.

While heartened by this progress, I have concerns that some common misconceptions will stall the progress of zero-trust adoption and best-practice use. I’m on a mission to debunk these fallacies to help organisations understand and address them, thereby helping teams enhance their security posture. It’s a long list, so let’s focus on the four misconceptions I most often encounter.

Misconception 1: Zero trust means making a system trusted

The zero-trust model means that security teams must remove the concept of trust from their cybersecurity strategy and all systems. Doing so ensures the team grants every user, packet, network interface and device the same default trust level: zero.

It’s important to remember that trust relates exclusively to individuals, not digital settings. Identity credentials can be compromised, networks are susceptible to hacking, and malicious insiders often hold trusted positions. When a malicious external actor gets access to the internal network, they automatically become a ‘trusted insider’. This means they can exploit the trust model for their nefarious purposes. Consequently, it’s impossible to be sure that the source of network traffic is genuinely trustworthy: an asserted identity is merely a claim, not the verification of a person.

Misconception 2: Zero trust is about identity

Identity is only one piece of the zero-trust puzzle. While zero trust recognises that the traditional security perimeter has become obsolete, considering identity as the new perimeter stands as a reductionist and inadequate security approach. Start with verifying identity, but just confirming who is accessing data or the network falls short: context is equally crucial.

You should think of identity as just a preliminary step into the zero-trust framework: a comprehensive approach that incorporates contextual data — such as time of day, device type, posture checks and risk assessments. Make sure to follow the Kipling method and ask the following questions. Who should have access to which resource? When should that access be allowed? Where is the resource located (the protect surface)? Why do we have this policy in place (tags, labels, data classification or other useful metadata)? And finally, how do we review the packet to decide whether to allow it to access the resource?

Importantly, do not ignore context while discussing access control. Start with identity, then add advanced contextual markers to ensure secure access.

Misconception 3: I can buy zero-trust products

Zero trust is a framework, not an SKU. This framework requires companies to rethink their philosophy and approach to trusted network users and devices. It’s not a product, although security teams can use many tools to implement zero-trust-based security infrastructures.

Moreover, zero trust does not demand a complete overhaul of existing security systems. It leverages current technology to support the zero-trust mindset, adding new tools as needed.

Misconception 4: Zero trust is too difficult to implement

While the idea of adding new tools may seem daunting, in reality the zero-trust framework reduces cybersecurity complexity. The strategy has been rooted in simplicity, predicated on debunking the broad security industry myth that cybersecurity teams must prevent all intrusions. That’s a fool’s errand; intrusions are unavoidable. However, zero trust aims to prevent data breaches, which according to the Office of the Australian Information Commissioner (OAIC) occur when personal information is accessed or disclosed without authorisation or is lost.

Modern cybersecurity environments have become increasingly complex, distributed and perimeterless. A zero-trust architecture helps organisations manage the increased danger resulting from this evolution. It inverts the attack surface, reducing it to something small and easily known as a ‘protect surface’. Implementing zero trust, one protect surface at a time, offers three benefits: it’s incremental, iterative and non-disruptive, limiting any potential issues to a single protect surface.

The zero-trust model is one that eliminates the concept of ‘trust’ in digital systems, so organisations don’t leave themselves vulnerable to data breaches, insider threats, and limited visibility and control. To implement zero trust effectively and achieve its many benefits, a true understanding of what it is, and what it isn’t, is paramount.

*With over 25 years of experience as a practitioner and industry analyst, John Kindervag is best known for creating the revolutionary Zero Trust Model of cybersecurity. As Chief Evangelist at Illumio, John Kindervag is responsible for accelerating awareness and adoption of Zero Trust Segmentation.

Top image credit: iStock.com/Olivier Le Moal