Thank you for your interest. We Will Contact You Soon...
Your email ID is already registered with us.
Can We Achieve Zero Trust?
Risk and Compliance - February 18, 2022
When the pandemic hit and it became essential to shift to a remote workforce, companies around
the world tried their best to keep the lights on. They had to reimagine their business
processes, lay down the responsibilities to their workforce and realign the necessary tools to
support the remote 'working environment'. Threat actors saw this opportunity and there was a
massive surge in cyberattacks. In an August 2020 report, Interpol accessed that cybercrime has
shifted significantly away from people and small enterprises and toward large organizations,
governments, and essential infrastructure. Between February and March 2020, the agency observed
a 569 percent increase in harmful registrations, including malware and phishing, and a 788
percent increase in high-risk registrations.
This meant that you had to ensure business continuity while keeping the security measures
intact. For many organizations, it proved to be a very difficult task. Now that the dust has
settled and work is returning to normal, firms around the world are looking for new measures and
models-one that is fully proof and future ready. In this blog, we will look at one such security
model, known as Zero Trust security. We will access its attributes, the challenges it addresses
and understand its applicability to present and future threats.
What is Zero Trust?
Traditionally, computer networks used a "trust but verify" security architecture- this meant
that any person or device was considered trustworthy if it was authenticated. That worked well
for early computer networks because companies could effectively regulate the devices and
connections, as they all operated from a single central place (or on-premises)
The proliferation of telecommuting and mobile devices shifted the threat environment. Today, IT
teams must strike a balance between network security and the requirements of a mobile workforce.
This led to the need for a new paradigm to assure end to end device and network security, since
hackers discovered that once they had "access," there was no resistance to looking at and
stealing whatever they want. This need led to the Zero trust concept.
Zero trust was coined in 2010 by Jon Kindervag, then-vice president and lead analyst at
Forrester Research. It is based on the principle of "never trust, always verify." The network
does not differentiate between users, packets, interfaces, or devices based on their origin.
Each individual begins with the same amount of trust and must establish what or who they are in
order to acquire access to vital assets. Users get access to only the information necessary to
fulfill the request.
Zero Trust Principles
Zero Trust is guided by the following principles:
1. Never Trust, Always Verify — Consider each user, device, workload, and information to
be untrustworthy. Using dynamic security rules, authenticate and explicitly authorize each user
to the least amount of authority necessary.
2. Assume Breach - Consciously operate and protect resources as though an opponent has a
presence in the surroundings. By default, deny all users, devices, data flows, and requests for
access. All adjustments, resource requests, and network traffic should be logged, inspected, and
continually monitored in the event of suspicious activity.
3. Clearly Verify — Access to all resources must be consistent and safe, utilizing
different authentication methods characteristics (dynamic and static) to calculate confidence
levels for relevant resources.
Zero Trust Security: Key Objectives
1) Do Away With The Notion of Trust in a Network: There are no trustworthy sources when
there is no trust. Each packet transmitted over a network must be permitted, authenticated, and
encrypted. By treating all communication equally (whether within or outside the network) and
constantly authenticating the user, hackers have a far more difficult time breaching network
2) Implement Vital Preventive Security Measures: Zero trust is a strategy; in order to
establish a network around this architecture, IT departments must design their networks with a
few crucial preventive security measures in mind.
This raises critical issues with identity and device verification: Is the person or device
connected indeed who they claim to be? Is the device sufficiently protected? Is there any odd
behavior taking place? These are the types of questions that a system of zero trust will
address. When developers want to increase the security of their apps, they generally turn to
multi-factor authentication (MFA), which requires two (or more) forms of authentication in
addition to the standard username and password login.
Additionally, zero trust networks ensure that users and devices always provide the least amount
of access feasible. Authorization is restricted to the minimum amount necessary to execute an
activity. This restricts the attacker's mobility beyond the break-in point in the event of an
By approaching Information security in this manner, it becomes significantly simpler to contain
security events. There is a reduced chance of getting hacked even by using Bring Your Own Device
(BYOD) devices or insider attacks. Micro-segmentation is a technique that allows engineers to
leave the traditional "castle and moat" attitude associated with conventional network
architecture, which places most of the protection on the network perimeter. Rather than that,
smaller zones are built within the typical perimeter to further isolate network segments by
device, purpose, or id. For example by compartmentalizing security beyond the login page, the
attacker does not have complete control over the contents of the system in the event of a
3) Enables Real-time Breach Response Tactics.
While the measures described above significantly increase network security, break-ins do occur.
To contain the same network administrators should adopt real-time monitoring tools to increase
the speed with which they respond to incoming threats.
Along with monitoring, automatic remediation is critical. A computer can operate at a quicker
rate than a human, therefore many zero trust systems include some form of an automated system
for detecting, investigating, remediating, and preventing more attack attempts.
Obstacles to Zero Trust Implementation
While we have discussed the attributes of Zero Trust, including its principles, the main focus
of this blog is to analyze its applicability in the present age. While we praise its benefits,
it is also worthwhile to analyze its limitations and separate hype from reality.
While many of the Zero Trust procedures are sound and rational, many become difficult to attain
due to the following challenges that practically every business faces:
1. Outdated Apps
Technology is always evolving, and the apps of yesterday might be outdated tomorrow. Internal
application redesign, recoding, and redeploying may be costly and disruptive. To pursue these
sorts of activities, there must be a compelling business case. It is not always viable to add
security settings to existing apps to make them zero-trust aware. Unlikely, your existing
applications do not yet support zero trust.
As a result, depending on your reliance on bespoke apps, this will influence whether or not you
can embrace zero trust in those processes, as well as the associated work and expense. This is
especially true when programs are not micro perimeter compliant or lack the appropriate
application programming interfaces.
2. Legacy Systems
Most likely, legacy programs, infrastructure, and operating systems are not zero-trust aware.
They lack a concept of least privilege or lateral mobility, and they lack dynamic authentication
models that adapt to changing contexts.
To allow zero trust implementations, a layered—or wrapper—approach is required. However, a
layered approach encapsulates external access to the resource and allows it to interact with the
system only occasionally. This undermines the zero-trust idea. You cannot always monitor the
behavior of a program that is incompatible. While you may scrape screens, capture keystrokes,
and monitor logs and network traffic for potentially malicious activities, your response time is
restricted. You can restrict the legacy application's external interaction to the user or other
resources—but not the runtime itself. This restricts zero trust's scope, and depending on the
features of the old application, companies may discover that monitoring network traffic is
impossible owing to stringent encryption standards.
3. Technologies Based on Peer-To-Peer Collaboration
Beginning in 2015, Windows 10 included a peer-to-peer mechanism that enables peer computers to
exchange Windows Updates to conserve Internet traffic. While some companies disable this
feature, others are unaware of its existence. This favoured lateral mobility between unregulated
systems. While there are no known vulnerabilities or exploits for this functionality, it does
expose communications that violate the zero-trust concept. There should be no lateral movement
that is not authorized—even within a given micro perimeter.
Additionally, you will discover that protocols such as ZigBee or other mesh network technology
run in direct opposition to zero trust. They function via peer-to-peer communication, and the
trust model is exclusively dependent on keys or passwords, with no dynamic models for
Therefore, if you want to adopt zero trust, carefully explore if your company utilizes
peer-to-peer or mesh network technologies, including those used in wireless networks. These are
significant impediments to implementing the access and micro perimeter restrictions necessary
for zero trust.
Even for enterprises capable of building a new data centre, implementing a role-based access
model, and fully embracing zero trust, digital transformation concerns might make the idea
difficult to adopt.
The digital revolution facilitated by Cloud, DevOps, and IoT does not support the zero-trust
paradigm, as segmentation and enforcement of the notion require extra technologies. This can be
too expensive for big deployments and may even impair the solutions' ability to interact
effectively with multiple user access. If you have any doubts, examine the storage needs and
license fees associated with logging every event for dynamic access to all resources used in the
While some may argue that the Cloud embraces segmentation and zero trust models, the truth is
that it all relies on how the Cloud is used. Straightforward cloud transfer of your raised floor
does not imply zero trust. If you construct a new application as a service in the cloud, it can
surely embrace zero trust.
However, just migrating to the Cloud as part of your digital transformation does not imply that
you will automatically receive the benefits of the mandated zero trust paradigm. And, if you
want to accept zero trust and include it into your strategy, you can be assured that it will not
function effectively as a layered approach.
Can We Truly Achieve Zero Trust?
To resolve the Zero Trust concerns that have plagued cybersecurity for over a decade, you must
flip your mindset. This means, prioritize strategy first, and technology second. Recognizing
that identity, device integrity, access control, and continuous inspection are all necessary to
accomplish Zero Trust is far different from buying and deploying technologies that address a
single cybersecurity issue without regard for the larger picture of a strategic approach.
Cybersecurity should always be aligned with business objectives, and practitioners should
understand that their purpose is not to identify bad actors or prevent the next zero-day
assault, but to always keep the business functioning, even when confronted daily with a barrage
In the current state of Cyber world, the success of a firm is contingent upon its capacity to
safeguard its devices and network. Zero trust is the logical conclusion. However, that
discussion is meaningless until we understand how to implement it, and therein is the rub: There
are various misconceptions about what zero trust truly entails.
At its heart, zero trust is a security framework that employs layered security measures and
protections to ensure that no one user, program, or device possesses the network's "trust."
Everything is validated and only the most restricted access is granted.
The following are some of the most fundamental considerations that every attacker will consider
while intending to hack an IT system:
Where does a trustworthy network come to an end?
How many systems can this trusted device access?
What can I do with this trustworthy username and password combination?
What are the similarities between these questions? They are all predicated on the idea that an
implicitly trusted component can confer a demonstrable offensive advantage on an attacker.
Attackers do get an advantage when they can take control of an implicitly trusted machine and
gain access to other systems without performing further security checks. On the other hand, Zero
Trust negates this benefit by eliminating the idea of trust from decision-making related to
information access and interaction with digital assets.
Surya Jatavallabhula is a Cyber Security and Risk professional with an extensive history in
Banking, Biotech, Medical,
and Education sectors. Surya has played various roles under security domains including CISO,
Security Partner/SME for
Information and Cyber Security, DevSecOps, Risk Management, Data privacy, Enterprise Security
Data Architecture, Technology Risk, and Portfolio Management after graduating in MS Risk
Management from Stern School
of Business, New York University, U.S and M.B.A from Leeds University Business School, U.K.
experience and provide personalized recommendations. By continuing to use our website, you agree to our