Zero trust security starts by removing privileges and adding enough to get the job done, explains Torsten George at Centrify, debunking five myths.

For years, the popular security maxim was trust by verify. But this mindset is no longer sufficient in today’s borderless, global, mobile, cloud-based threatscape. According to Gartner, organisations are expected to spend $137 billion in IT security and risk management in 2019, yet 66% of all companies experienced security breaches last year. You would think with that much money invested in security; we would be several steps ahead of the bad guys. But hardly a week goes by without reading about the latest high-profile cyber-attack.

Zero trust security is an antidote for outdated security strategies because it demands that organisations never trust and always verify. Every business must recognise that attackers exist inside and outside the network, and that perimeter-based security no longer provides protection against identity-based and credential-based intrusion, which are today’s leading attack vectors. The solution now is to entirely remove trust from the equation by granting just enough privilege at just the right time.

However, several misconceptions are impeding zero trust adoption. It is time to look at the top five myths and set the record straight.

Myth 1: The path to zero trust security starts with data integrity

Rest assured, encrypting sensitive data and assuring its integrity remains a best practice. No one denies that. But how does that limit attackers from exfiltrating data if they have already secured privileged access, including to decryption keys?

Forrester estimates that 80% of data breaches are caused by misuse of privileged credentials. Privileged credentials provide greater scope for stealing data than individual accounts do, so it only takes one compromised credential to impact millions of people and cause a massive amount of damage. It is not surprising that Gartner recommends putting privileged access management, PAM at the top of any list of security projects.

Until organisations start implementing identity-centric security measures, account compromise attacks will continue to provide a perfect camouflage for data breaches. Thus, the path to zero trust should always start with identity.

Myth 2: Zero trust is only for large organisations

Google was one of the first companies to adopt the zero-trust model. As a result, many people still think it is only for the largest organisations. But the reality is, no one is safe from a cyberattack. In fact, 61% of all data breaches affected small businesses, according to the 2018 Verizon Data Breach Investigations Report.

The good news is that zero trust security will not break the bank. Your company’s size or budget should not be a deterrent because even the smallest business can get started with Zero trust by taking a cost-effective, step-by-step approach.

For example, many organisations can significantly harden their security posture with low-hanging fruit like a password vault, or Multi-Factor Authentication. Spending a couple hundred dollars per system each year could be well worth it to avoid potential millions in fines, penalties or brand damage.

Myth 3: I need to rip and replace my security network

It is true that when Google first established its zero-trust security architecture, it decided to rebuild its entire security network from the ground up. But this is not the case for most organisations.

Zero trust can simply involve an augmentation of security controls that already exist within your environment. For instance, you can start by deploying an MFA Everywhere solution, which is not overly complex and can deliver tremendous value. This first step can go a long way toward establishing identity insurance and dramatically reducing your attack surface, putting your organisation firmly on a path to zero trust.

Myth 4: Zero trust is limited to on-site deployment

Many organisations think zero trust can only work on-premises and cannot be applied to the public cloud. This becomes a concern when sensitive data resides outside the traditional network perimeter. The fact of the matter is, zero trust can easily be extended to cloud environments, and it is increasingly important to do so as organisations across a broad range of industries move to hybrid, multi-cloud environments.

Further, zero trust not only covers infrastructure, databases and network devices, but is extended to other attack surfaces that are increasingly becoming strategic requirements of modern organisations including, Big Data, DevOps, containers and more.

Myth 5: Zero trust’s benefit is it will minimise exposure to risk

Risk mitigation is clearly a major benefit of zero trust, but it is definitely not the only one. Forrester recently concluded that zero trust can reduce an organisation’s risk exposure by 37% or more. But it also found that organisations deploying zero trust can reduce security costs by 31% and realise millions of dollars in savings in their overall IT security budgets.

Zero trust can also lead to greater business confidence. The Forrester study found that organisations deploying zero trust are 66% more confident in adopting mobile work models and 44% more confident in securing DevOps environments. As a result, they are able to accelerate new business models and introduce new customer experiences with a greater sense of assurance and success.

The bottom line is that today’s security is not secure. Rather than trust but verify, a zero-trust model assumes that attackers will inevitably get in if they are not already, so no one is to be trusted. With zero trust, you can minimise the attack surface, improve auditing and compliance visibility, and reduce complexity and cost.

Remember: Never trust. Always verify. Enforce least privilege.