Zero trust has been a prevalent topic of discussion in cybersecurity since it became a popular replacement for the outdated, perimeter-based approach of trusting everything internally and nothing externally. With zero trust, nothing is trustworthy until it proves itself otherwise.
However, no security approach is perfect. The working world has shifted greatly in the last few years, meaning that security perimeters have had to shift alongside it. @ISACA recently consulted several security experts on where they think zero trust potentially falls short, including their considerations regarding the biggest threats against zero trust, actionable steps enterprises can take to bolster their security and additional blind spots of this security approach.
Here’s what they had to say:
From the areas CSO identified where zero trust can’t protect your organization—legacy systems, IoT devices, privileged access, third-party services, and new technologies and applications—which seems to be the biggest threat, and why?
“I would disagree that zero trust ‘can't’ protect your organization in those areas. The strategy of ZT can be applied to all of those areas and, if done correctly and intelligently, then a solid strategic approach can be beneficial. There is no ZT product that can simply make those areas secure, however. I would also suggest that the largest area of threat is privileged access, as that is the most common avenue of lateral movement and increased compromise historically.”
- Chase Cunningham, Vice President of Security Market Research, G2, “DrZeroTrust” Podcast Host, Author; previously VP and Principal Analyst at Forrester Research, Director of Threat Intelligence for Armor, Director of Cyber Analytics for Decisive Analytics, and Chief Cryptologic Technician, US Navy
“Legacy applications, which often fall in the ‘unmanageable’ category, are one of the biggest, largely unknown, threats facing organizations today. These applications are the hole in most organizations’ zero trust strategy, as identity is a critical input to a zero-trust system. These applications don’t support standards like SSO and SAML, so they can’t be included in a zero-trust architecture. Recent research from the Ponemon Institute found that unmanageable applications, many of which are legacy systems, generate 10 to 15 percent of breaches annually.”
- Matt Chiodi, Chief Trust Officer at Cerby, ISACA Digital Trust Advisory Council Member
“It’s a multifaceted issue when determining the greatest threat among the areas where zero trust falls short. At the core, privileged access stands out as the most alarming vulnerability. These users, often likened to having ‘keys to the kingdom,’ possess the capabilities to access confidential data, modify configurations and undertake actions that could severely jeopardize an organization.
“However, an underlying concern that might be overlooked is the reason behind the extensive distribution of privileged access. In many situations, this excessive access stems from challenges tied to legacy systems, IoT devices, third-party services, and emerging technologies and applications. These systems and tools might either lack sophisticated role-based access controls, necessitate premium subscriptions for enhanced security or present intricate layers of permissions due to their initial design prioritizing functionality over security. When systems are designed without a foundational security focus, retrofitting them to align with zero-trust principles becomes a herculean task.
“In conclusion, while privileged access presents an immediate threat, it’s essential to recognize it as a symptom of a broader issue. The challenges in implementing robust security measures across diverse systems, especially those not initially designed with security at the forefront, emphasize the need for a proactive, holistic approach to cybersecurity. To truly fortify an organization’s defenses, it’s not just about managing privileged access but also about revisiting and strengthening the security foundation of all interconnected systems and services.”
- Bhanu Jagasia, PMP, CISSP, CISM, CISA, CRISC, CGEIT, CCSFP, CHQP, C|EH, C|BP, AWS CSAA, AWS CDA, AWS CSS, Bachelor of Science (B.S) – Information Systems, George Mason University, United States
What are some actionable steps organizations can take to bolster their security where zero trust falls short?
“Review those areas that are identified as a risk and that have identified shortcomings. Then test them in a realistic red team event and see how they fare. That will let you know what is technically possible, and then you can fix those areas that are compromised.”
– Dr. Chase Cunningham
“Zero trust is a silver bullet if deployed holistically and not as a point product. Organizations need to make sure when developing a zero-trust strategy that they adapt to include legacy and unmanageable applications (or, as Gartner calls them, nonstandard applications). Keeping these applications in scope from the beginning ensures that a massive part of most enterprises’ application estate is not outside the protection of a future zero trust strategy. Organizations also need to investigate solutions that can bring these unmanageable applications into the scope of their existing identity provider.”
–Matt Chiodi
“Addressing the limitations of zero trust necessitates a layered, integrated strategy. Here are some actionable, yet straightforward steps:
- RBAC audits: Begin with routine Role-Based Access Control audits, particularly for legacy and third-party systems. This isn’t just housekeeping; it’s akin to a gap assessment that highlights the areas where sprawling privileged access may be unnecessarily wide.
- Prioritize deficiencies: Post-audit, systematically categorize your security gaps. Are they technical limitations, like legacy systems lacking modern authentication? Or financial constraints, such as premium-tier security features being beyond the budget? This nuanced approach enables you to allocate resources more effectively.
- Implement monitoring: If the tools and budget are there but visibility is lacking, consider bolstering your security infrastructure with real-time monitoring and alerting mechanisms. Awareness is half the battle in cybersecurity.
- Simplify access controls: Aim to declutter and streamline your access control layers. Complexity isn’t just a management nightmare—it’s a security risk.
“By adopting these measures, organizations can not only understand but also pragmatically address the vulnerabilities that zero trust may not fully cover. It’s about fostering an adaptive, manageable, and, above all, secure ecosystem.”
- Bhanu Jagasia
Are there any additional blind spots within zero trust that organizations should be aware of?
“By not applying technical controls to users on the internet, with solutions like remote browser isolation, the risk is exponential. The further ‘out’ on the internet you can address threats, the better off your organization will be. Phishing training is not a technical control, and relying on people to never click a malicious link is a bad idea.”
- Dr. Chase Cunningham
“Bruce Schneier many years ago wisely observed, “Security is a process, not a product.” If an organization has bought a product and believes it has zero trust, it will be sorely disappointed. Zero trust is more about processes than products. Yes, you need products to achieve zero trust, but that’s the easy part. Security and IT teams should follow the 5 Step Model of Zero Trust developed by the creator of zero trust, John Kindervag.”
- Matt Chiodi
“While the list of blind spots in a zero-trust architecture is comprehensive, it’s crucial not to overlook the role of operational inefficiencies in undermining security efforts. Zero trust, by its nature, imposes strict access controls and layers of verification. While these measures enhance security, they can also introduce friction into daily operations, possibly leading to a decline in productivity. The real danger here is not just inefficiency but the human tendency to find workarounds. When security protocols are seen as obstacles, employees may resort to practices that compromise security, like using personal devices for work, sharing passwords or even disabling security features. Essentially, the more cumbersome the security measures, the greater the temptation for employees to bypass them, inadvertently creating vulnerabilities.”
- Bhanu Jagasia
Editor’s note: For more insights into zero trust, download ISACA’s zero trust ebook.