Blog

Zero Trust: Hype vs. Reality

  • 24 December 2022
  • 34 replies
  • 573 views
Zero Trust: Hype vs. Reality
Userlevel 7
Badge +19

Zero Trust is a security approach that has gained significant attention in the cybersecurity world in recent years. But what is Zero Trust, and how effective is it in protecting against cyber threats? Cybersecurity professionals are rightfully skeptical of phrases that suddenly become buzzwords overnight. However, there are many legitimate technologies and policies that fall under the umbrella term “Zero Trust”. In this post, we will explore the concepts and technologies involved in Zero Trust and attempt to differentiate marketing hype from factual evidence.

 

Definition

First, let’s define zero trust. At its core, Zero Trust is a security model that assumes all users and devices within a network are untrusted and potentially malicious. This means that, rather than relying on the traditional perimeter-based security model which assumes that everything inside the network is trusted, a Zero Trust approach treats all access requests as coming from an untrusted source. There are a few other definitions of Zero Trust but each definitions contains a common concept:

“Never trust, always verify.”

Sounds pretty reasonable for a security protocol, right? It is like saying everything in a network is “guilty until proven innocent”. In an ideal Zero Trust environment, every network connection, digital communication, and device would be walled off from access until a series of verification steps has occurred. Is such an ideal environment achievable? Probably not, but more on that later. Let’s begin exploring the technologies which utilize Zero Trust principles.

 

Zero Trust Tech

One key component of Zero Trust is multi-factor authentication (MFA), which adds an additional layer of security by requiring users to provide multiple forms of authentication before accessing a network or system. This can include a combination of something the user knows (e.g. a password), something the user has (e.g. a physical token or mobile device), or something the user is (e.g. a fingerprint or facial recognition).

Many online services/apps allow you to set up 2FA (2-factor authentication) which requires two forms of authentication to log in. Usually, the available authentication options are SMS, Email, or app-based methods. Out of these three options, SMS is the least secure route. Because SMS messaging is not encrypted, it comes with a lot of security issues that make it unreliable as an MFA method. If you’re going to enable 2FA for the purpose of securing an app or account, we highly recommend using app-based methods.

The Microsoft Authenticator App is a great choice

In addition to MFA, virtual private networks (VPNs) and encrypted messaging are also commonly used in a Zero Trust architecture. VPNs allow users to securely access a network remotely, while encrypted messaging ensures that any communication between users is protected from interception. Whether for personal use or for work, VPNs are a highly reliable tool for securing devices and network connections.

There are many benefits to using a VPN which include:

  • Secure access to the internet on public WiFi
  • Privacy from your ISP (internet service provider)
  • Opens up access to websites that are only viewable in certain countries
  • Connecting to a VPN on a work device allows your system admins to enforce company security protocols more efficiently (which is good for them and you)

 

What about the drawbacks? While VPNs have certainly gotten faster in recent years, the biggest downsides of connecting to the internet through a VPN are latency and speedOn a 1 gig ethernet connection, you’ll see a potential loss of 50-70% loss of speed when connecting through a VPN. For normal web browsing, this is barely noticeable, but that lessened speed becomes far more noticeable when streaming HD videos or playing latency-sensitive games. While there is certainly a degradation of internet speeds, the security gained when using a VPN can be a worthy tradeoff for many people.

MFA and VPNs are clearly important technologies to be utilized with the goal of creating a network based on Zero Trust principles. They are user friendly, accessible, easy to implement (within a smaller organization). With that in mind, we can now explore the final piece of the Zero Trust puzzle: Access Control.

 

Access Control

Access control is a critical aspect of Zero Trust security. In a traditional perimeter-based security model, access is typically granted based on a user's location, with users inside the network considered trusted and granted access to all resources, while users outside the network are considered untrusted and denied access.

In contrast, a Zero Trust approach grants access based on the user's identity and the level of access they need to specific resources. This means that even if a user is inside the network, they will only be able to access the resources they are authorized to access. There are several benefits to this approach.

First, it reduces the risk of unauthorized access to sensitive resources, as users are only granted access to the specific resources they need to perform their job. 

Second, it allows organizations to have greater control over their networks and systems. 

Third, it can improve the overall security of the network by reducing the size of the attack surface. In a traditional perimeter-based security model, the entire network is considered trusted, which means that an attacker who gains access to the network has access to all resources. In a Zero Trust architecture, the size of the attack surface is reduced because all users have a defined scope of their network access. If employee A becomes the victim of a phishing attack but they only have access to marketing data, then the potential damage of the infection is dramatically reduced.

In summary, access control is an important component of Zero Trust security. It allows organizations to grant access to users based on their identity and the specific resources they need, rather than their location within the network. This can improve the security of the network and reduce the risk of unauthorized access to sensitive resources.

 

Marketing Hype vs. Reality

Now that we have identified the benefits of Zero Trust technologies and policies , let’s begin to address the hype. While it is true that Zero Trust technologies and policies can provide enhanced security, it is important to recognize that it is not a silver bullet for all security threats. In fact, some experts argue that the term “Zero Trust” is a misnomer, as it is impossible to completely trust or distrust any user or device. 

Furthermore, implementing a Zero Trust architecture within a larger corporation can be complex and costly, requiring significant investment in technology and resources. It also requires a significant shift in the way organizations approach security. But regardless of cost or complexity, we can see that Zero Trust technologies and policies are beneficial for preventing cybersecurity disasters. So, how can a company decide whether they should shift towards a Zero Trust infrastructure? In order to make the best decisions, it’s important that they listen to the experts, rather than the marketing blogs.

So, in order to find out how cybersecurity experts view Zero Trust, I reached out to two of our resident Security Analysts, Tyler Moffitt and Grayson Milbourne.

Tyler Moffitt has been involved in threat research for many years at Webroot/OpenText Security Solutions. We discussed the capabilities of Zero Trust infrastructure and if the media is potentially overstating its benefits. 

Question: “What are the real technological benefits that can be gained from adopting Zero Trust policies in a company?

Answer: “I think the most impactful benefit we see when looking at Zero Trust policies is access control. Access control is essentially limiting employee access to precisely what they need for their job responsibilities. When a company implements access control policies, that is a huge step towards securing their network. In fact, most of the compromises and ransomware attacks that are discussed in the media can be traced back to a LACK of access control.

Tyler mentions that this lack of access control can involve:

  • An employee clicks a phishing link or falls for a credential stealing attempt
  • Infiltrators compromise one machine and then look to get access to shared network drives or network admin credentials

The end goal of any of these attack methods is to gain access to user credentials that have high level access to a network or access to important data. Network admins are the big ones - if a threat actor can gain full access to a network admin login, then they got what they came for. From there, they can usually lock down an entire network, steal data, deploy a ransomware package, you name it. Access control policies are built to mitigate this kind of attack by either preventing it fully or at least reducing the impact. If access control policies are correctly implemented, threat actors will find it far more difficult to find what they’re looking for. 

After discussing access control, I proceeded to ask Tyler Moffitt about the marketing hype surrounding Zero Trust.

Question: “There’s a lot of  hype surrounding Zero Trust in the tech blogs and news media. Help myself and our readers separate fact from fiction on this topic - what is the media getting wrong when they talk about Zero Trust?”

Answer: “Zero Trust is being used as a buzz-word right now. It reminds me a lot of how the media discusses machine learning or AI technology. They  find some grains of truth about a technology and then embellish those truths without talking about limitations. The truth is that a perfect “Zero Trust” environment is a unicorn - it doesn’t exist and I don’t think it can exist. Technology has flaws and you can’t count on a framework to be immune to exploits. There’s always going to be a grey area when considering trusted vs untrusted devices or access points.”

 

Grayson Milbourne is the Security Intelligence Director at OpenText Security Solutions. He is responsible for ensuring our organization is capable of defending against today's most advanced threats. I reached out to him to learn about the capabilities of zero trust.

Question: “How would you define Zero Trust?”

Answer: “Zero Trust is a method, mindset, and a framework for understanding risk. It’s not an all or nothing approach, though. You can evaluate the concepts and technologies behind Zero Trust and apply the ones that make the most sense for your business.”

Grayson sees Zero Trust as an essential part of cybersecurity. He mentions that the philosophy of Zero Trust is embodied in many of the cybersecurity tools that businesses are already using. The list of tools, software, and policies that utilize a Zero Trust framework is extensive:

  • MFA
  • VPN
  • Antivirus
  • Security Awareness Training
  • DNS filters
  • Encryption 

Above is just a sample of technologies that are used for a similar purpose: securing the potential attack vectors of a network or device. The proper implementation and use of these tools puts organizations in a more secure position. 

When considering the benefits of adopting Zero Trust policies and technologies, the initial benefit is obvious - becoming resilient to cyber attacks. There is, however, a less obvious yet very important benefit which Grayson points out:

“Companies that implement a Zero Trust framework within their cybersecurity pay a lot less for cyber insurance.”

That makes perfect sense - if a company has not properly implemented preventative tools like MFA or DNS filtering, they’re more susceptible to something like a ransomware attack. That makes a company more of a liability when considering cyber insurance coverage. 

So we now have a pretty thorough understanding of what Zero Trust is as well as how the tech/principles can be applied to benefit an organization. I still wanted to know what Grayson thought about the marketing hype that has surrounded zero trust. He states,

Zero Trust does not mean zero risk - it is a method of limiting exposure to risk. The reality is that there’s no such thing as a perfect Zero Trust environment. The implementation of Zero Trust policies and software creates a structure which reduces risk, reduces impact of infections, and creates a plan for rebounding from disaster. A cybersecurity attack of your company disrupts trust with all of the people that interact with your business. For this reason, it is in a company’s best interest to look at the available security options and evaluate which options are correct for them.”

 

In Summary

Zero Trust is an incredibly useful framework that can assist organizations with becoming cyber resilient. When companies integrate Zero Trust policies into their cybersecurity, it becomes easier to acquire cyber insurance and mitigates the damage of potential cyber attacks. However, it is important to keep in mind that Zero Trust does not mean zero risk. Despite the claims of clickbait headlines, there is no such thing as an immutable digital network. Technology (and the people using it) will always have flaws and threat actors will always seek to take advantage of those flaws. 

Now we want to know what you think! Did you learn something new today? Had you even heard of Zero Trust before reading this post?

Let us know in the comments below!


34 replies

Userlevel 7
Badge +4

Superb article. I think these days you have to go with zero trust.

when we are onboarding a new client or performing our yearly reviews of client’s infrastructure, we apply zero trust now. It’s the best way to capture any vulnerabilities instead of assuming that the previous review covered everything 

Userlevel 7
Badge +22

I agree with Russel. This is an excellent article. And some very good points. I’ve always liked the idea of zero trust, but it can be difficult to manage in a large organization. 
 

I do take exception with one item:

”VPN servers have become so numerous and fast in recent history that there’s rarely a noticeable difference in connection speeds when using a VPN. “


While they are numerous, I have never found one that is as fast as my fiber connection. I have 1 Gbps connection, and I have yet to find a VPN that runs faster than 75 mbps. And with new 5G networks running in the 300+ mbps or better speeds, it makes a difference even on mobile. 
 

OK, that is fairly fast still, but the statement is inaccurate. VPNs will slow your connection, and it is noticeable. And latency is also very noticeable. 
 

I’ve tried at least 25 different providers and yet to find one that runs at even half speed. Recommendations anyone?

Userlevel 7
Badge +4

I’ve always just accepted that it’s part of the trade off to having the security of vpn

Userlevel 7
Badge +22

I do not disagree Russell. As have I. I was just pointing out that the statement made in the article was incorrect.  Saying “...there’s rarely a noticeable difference in connection speeds when using a VPN” is just completely incorrect. There is always a noticeable difference in my experience using VPN. 

Userlevel 7
Badge +4

Ah. I see. I misunderstood that bit. Agree with you there

Userlevel 7
Badge +19

@MajorHavoc ,

This is a very fair critique of that statement. I definitely agree that there is a loss of speed when using a VPN, but that loss of speed/latency is usually not noticeable in everyday web browsing. I even play video games on VPN without much latency using NordVPN. However, I’m probably being too relaxed in my current description of that downside. I’ll edit that statement accordingly!

Userlevel 7
Badge +4

👍🏻 @khumphrey 

Most of the time I don’t really notice a speed issue over vpn. I guess it does depend on what you’re doing

Userlevel 7
Badge +63

👍🏻 @khumphrey 

Most of the time I don’t really notice a speed issue over vpn. I guess it does depend on what you’re doing

Depends on which VPN service your using and how far the server your using is from your at! There’s many factors to consider. I use IVPN and it’s fast on most of there servers.

Userlevel 7
Badge +4

👍🏻 @khumphrey 

Most of the time I don’t really notice a speed issue over vpn. I guess it does depend on what you’re doing

Depends on which VPN service you’re using and how far the server you’re using is from your at! There’s many factors to consider. I use IVPN and it’s fast on most of there servers.

True. Certainly a few factors to consider. 

Userlevel 7
Badge +22

I will agree that if just browsing or playing simple games you probably not going to notice a big difference, probably more so if always on VPN, you “get used to your speed” after a bit. 
 

But put two identical machines said by side, one on VPN and the other not, and do the same things, you will notice increased latency and slower speeds in general.
 

A big factor though is how fast your connection is. If the VPN can match your speed you might not see much change at all. But, if like me, you have 1Gb fiber, I have yet to find a VPN that can match that speed.  The best so far has been about 30% of that speed. So I see a big difference on VPN. That said, I use it most of the time anyway. 

Userlevel 7
Badge +4

I think pretty much any security applied to anything will slow things down. It’s the trade off I guess

Userlevel 7
Badge +22

Great article @khumphrey !

 

I agree that VPNs still aren’t there, and may never get there when it comes to speed. They have absolutely come a long way and you can browse and stream in HD with no difference to raw pipes, but if you have fiber and game (or just download a game) you will notice a difference in the ping and bandwidth. If you aren’t a gamer, I can’t see many reasons why you wouldn’t want to use a VPN. My google pixel has built in VPN from the cell phone towers and I notice no difference in network bandwidth throughput and that’s a fairly recent development. I can still get sub 100 ping while gaming on my phone, but when it comes to PC desktop gaming you will want to chase that sub 40 ping and remove any VPNs. That’s pretty much the only case where VPNs struggle and I’m curious to see what the future has to hold. 

Userlevel 7
Badge +4

Let’s hope vpn holds up better over time. Things can only get better!

Userlevel 7
Badge +22

Great article @khumphrey !

 

I agree that VPNs still aren’t there, and may never get there when it comes to speed. They have absolutely come a long way and you can browse and stream in HD with no difference to raw pipes, but if you have fiber and game (or just download a game) you will notice a difference in the ping and bandwidth. If you aren’t a gamer, I can’t see many reasons why you wouldn’t want to use a VPN. My google pixel has built in VPN from the cell phone towers and I notice no difference in network bandwidth throughput and that’s a fairly recent development. I can still get sub 100 ping while gaming on my phone, but when it comes to PC desktop gaming you will want to chase that sub 40 ping and remove any VPNs. That’s pretty much the only case where VPNs struggle and I’m curious to see what the future has to hold. 

All very good points Tyler. I believe a big issue on ping is if it is before the encryption/decryption or after. The speed of the pipe is only one “delay” factor. You really was to test from unencrypted date top unencrypted data at the other end. encryption and decryption can take time. Of course, some new end point devices do this in hardware, which speeds things up considerably.  I agree with Russel, almost all security is going to add delay. Its always security vs cost. 

Userlevel 7
Badge +4

Security is like the good and bad all rolled into one. You want it but you don’t want the delay. Doesn’t matter if it’s digital security or security like airport security. You find it annoying and it slows you down but you wouldn’t want to be without it!

Userlevel 4

Speed loss with vpn is not noticible most of the time and even with speed loos compared to security level u have is considered nothing.

Good writeup. As for insurance, it's not that you pay less if you implement zero trust. They don't offer you insurance if you don't meet their baseline. If you do, you can get insurance if you pay. A lot. Next year they may choose not to extend it if they change the rules.

Userlevel 2

Nicely written piece @khumphrey  some very good takeaway points in there

Userlevel 1

@khumphrey love it mate, this is spot on! I feel like this article needs to be part of every user’s induction when using IT equipment to truly understand why it’s so important.

Or at the very least, tattoo “Never trust, verify everything” on their dominant hand so they can see it on a daily basis.😂

Userlevel 1

Excellent article.  Does a good job of explaining why it is important 

Userlevel 7
Badge +5

Great breakdown of what Zero Trust is and how it factors into a good security plan.

Userlevel 7
Badge +63

Awesome Article Keenan! 😎

A very interesting read , and an approach we take within business 

We don't use VPN ourselves which of course out outlined have a knock on effect on bandwidth. Customers which do use VPN we find have leased lines from which we supply.

We restrict employees usage to data that isn't required for them to access for there job role and that the do not trust rule is in place simply to protect data..

Userlevel 2

Happy new year 2023!

Userlevel 4

Excellent article! You managed to unpack this buzzword that could feel fearsome. I mean, “ZERO Trust”, that feels powerful yet difficult to implement because of the amount of complains and frustration it could generate on the legitimate end users.

 

Thanks to your article, it looks more attainable with a progressive approach; and some of its component are probably/certainly already in place.

Also, knowing that full Zero Trust is perceived as a unicorn even among cybersecurity professionals helps relieve some pressure of seeing it unreachable.

Reply