Predict your next investment

See what CB Insights has to offer

About Zorz

Zorz Headquarter Location

Latest Zorz News

Zero trust: The good, the bad and the ugly

Apr 9, 2021

Zero trust: The good, the bad and the ugly 3 minutes read Zero trust is a good cybersecurity platform, but experts suggest care to get it right and not disenfranchise users. Image: iStockphoto/milo827 Thanks to the pandemic, the zero trust cybersecurity model has come into its own. However, like most things concerning cybersecurity, zero trust has a good side, a bad side and an ugly side. Before we get into that, there is a need to agree upon what zero trust means, as there are many different definitions floating around cyber space. For many, Zeljka Zorz, managing editor at Help Net Security, has become the go-to source for information related to zero trust. In her article,  Preventing insider threats, data loss and damage through zero trust , she quotes Bill Harrod, federal CTO at MobileIron: “In short, the zero trust model enforces that only the right people or resources have the right access to the right data and services, from the right device, under the right circumstances.” Zorz, in a more recent Help Net Security article  Zero Trust creator talks about implementation, misconceptions, strategy , talks to John Kindervag, senior VP of cybersecurity strategy at ON2IT, about zero trust, asking specifically what we’re doing right and what we’re doing wrong. If anyone should know, it is Kindervag–zero trust is his creation. The good side of zero trust To find support for zero trust, Kindervag tells Zorz we need look no further than the people at NSA, who arguably have some of the most secure environments in the world. They are convinced that zero trust is the way to go, and say so in their paper  Embracing a Zero Trust Security Model . “Because zero trust is focusing on what is being protected, it stops traffic that doesn’t fall within the granular  Kipling Method policy statements,” explained Kindervag. “This means that outbound traffic to a [command-and-control] node, which is how both ransomware and data exfiltration (the actual breach) work, will be stopped automatically.” Kindervag champions the Kipling Method as a reason why zero trust implementations succeed. “For years, I have used the Kipling Method to help companies define policy and build zero trust networks,” wrote Kindervag in his Palo Alto Networks blog post  All Layers Are Not Created Equal . “It ensures that security teams are thorough in their definitions and that anyone, including non-technical business executives, can understand cybersecurity policies due to the simplicity of the approach.” The bad side of zero trust  The bad side of zero trust concerns the misunderstandings that are currently being propagated. “Among the misconceptions Kindervag is eager to dispel is that zero trust makes a system ‘trusted,’ and that it is just about identity and multi-factor authentication (MFA),” mentioned Zorz. “Zero trust eliminates trust from digital systems, because trust is a vulnerability that can be exploited.” If Zero Trust was equal to MFA (as many vendors claim), then neither the Snowden nor Manning breaches would have been able to happen,” explained Kindervag. “They had very robust MFA and identity solutions, but no one looked at their packets post-authentication.” Something else that Kindervag finds disconcerting is that vendors are redefining the meaning of zero trust so that it coincides with what their products are capable of doing. According to Kindervag, there are no “zero trust products.” He told Zorz, “There are products that work well in zero trust environments, but if a vendor comes in to sell you their ‘zero trust’ product, that’s a pretty good indication that they don’t understand the concept.” Kindervag added, “If you’re looking to hire a managed services provider to help you with the implementation, ask how they define zero trust: ‘Is it a product or a strategy?’ Then make sure the first question they ask you is ‘What are you trying to protect? '” The ugly side of zero trust Right from the start, the name zero trust has unwelcome implications. On the surface, it appears that management does not trust employees or that everything done on the network is suspect until proven innocent. “While this line of thinking can be productive when discussing the security architecture of devices and other digital equipment, security teams need to be careful that it doesn’t spill over to informing their policy around an employer’s most valuable asset, its people,” mentioned Jason Meller, CEO and founder at Kolide. “Users who feel their privacy is in jeopardy, or who do not have the energy to continually justify why they need access to resources, will ultimately switch to using their own personal devices and services, creating a new and more dangerous problem— shadow IT ,” continued Meller. “Frustratingly, the ill-effects of not trusting users often forces them to become untrustworthy, which then in turn encourages IT and security practitioners to advocate for more aggressive zero trust-based policies.” In the interview, Meller suggested the first thing organizations looking to implement zero trust should do is form a working group with representatives from human resources, privacy experts and end users themselves. He added, “This group should consider what the rules of engagement are for IT and security teams interacting with devices that might contain personal data, and ensure those rules are well communicated to both the security team and the employees.” Final thoughts In conclusion, Kindervag addressed the concern that zero trust is only for mega corporations. “It can be implemented by both the world’s largest and the world’s smallest organizations,” he explained, “and can help protect against today’s most dreaded cyber-scourges: ransomware attacks and data breaches.” Cybersecurity Insider Newsletter Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays

Predict your next investment

The CB Insights tech market intelligence platform analyzes millions of data points on venture capital, startups, patents , partnerships and news mentions to help you see tomorrow's opportunities, today.

Zorz Web Traffic

Page Views per User (PVPU)
Page Views per Million (PVPM)
Reach per Million (RPM)
CBI Logo

Zorz Rank

CB Insights uses Cookies

CBI websites generally use certain cookies to enable better interactions with our sites and services. Use of these cookies, which may be stored on your device, permits us to improve and customize your experience. You can read more about your cookie choices at our privacy policy here. By continuing to use this site you are consenting to these choices.