History of Zero Trust
Welcome to the second part in our AI readiness series.
By now, we are all aware that cybercrime never sleeps and hackers never stop evolving their tactics—which includes using AI to automate cyberattacks, create deep fakes, and complete nefarious tasks. According to Statista’s Market Insights, the estimated global cost of online criminal acts is expected to surge to $23.84 trillion by 2027, up from $8.44 trillion in 2022.
Before we get into the nuts and bolts of Zero Trust, let us begin with a history of the concept and how it has evolved over the last 30 years:
- Origins and Evolution: The term “Zero Trust” was first coined by Stephen Paul Marsh in 1994 and popularized by John Kindervag in 2010, emphasizing the principle of “never trust, always verify”.
- Google’s Influence: Google’s implementation of the BeyondCorp Zero Trust architecture in 2014 further popularized the concept, allowing secure remote work without traditional VPNs.
- Core Principles: Zero Trust is based on three core principles: never trust, always verify; least privileged access; and assume breach, which collectively enhance security and address insider threats and human errors.
- Modern Relevance: With the rise of remote work, cloud services, and AI, Zero Trust has become essential for protecting against modern cyber threats, addressing challenges like shadow IT, digital supply chain vulnerabilities, and cloud acceleration.
Challenges Addressed by Zero Trust
Zero Trust is a framework that addresses some of the biggest challenges faced by both SMB’s and Enterprises.
- Erosion of Traditional Networks: With the rise of remote work and cloud services, traditional network perimeters are no longer effective.
- Shadow IT and Business-Led IT: Employees often use unauthorized applications and Gen-AI, which can bypass security controls and lead to data loss.
- Digital Supply Chain Vulnerabilities: As organizations rely more on third-party services, the complexity and risk of supply chain attacks increase.
- Cloud Acceleration: The shift to cloud-based models expands the attack surface.
- Human Risk: Insider threats and human errors are significant risks and account for almost 60% of attacks.
In the realm of cybersecurity and digital transformation, philosophy and psychology often take a backseat. However, securing our data today requires a shift in mindset and culture, not just the implementation of technical controls. The success or failure of a breach can often hinge on the behavior of people inside your organization, or the behavior of your technology service provider i.e if they are committed to taking a strategic and pro-active approach vs re-active and off-guard.
Three Core Principles
Zero Trust is a security model founded on three core principles that lay the groundwork for redefining security and organizational culture.
Never trust, always verify:
This means that no user, device or application is trusted by default, regardless of whether inside the office network perimeter or working remotely. Here are just five examples from our Zero Trust Architecture and these conditions must be met before a user is granted access to any resources:
- Device must be corporate owned.
- Device must be compliant (meet minimum standards such as encryption, anti-virus, updates, zero risks etc).
- User must be in certain geo-locations.
- Administrators must use Passwordless, such as biometric.
- Mobile devices accessing corporate applications must have a policy to protect against data loss
Use least privileged access
80% of data breaches are linked to misuse of privileged accounts and approx. 47% of organizations have users (including managed service providers and contractors), that have elevated privileges unnecessary for their role. Accounts within your environment with highly privileged roles are prime targets during cyberattacks and should be guarded at all costs. When these accounts fall into the hands of cybercriminals, the potential damage rises significantly. Users with these roles should require regular auditing and excessive administrative privileges removed or reduced, where possible.
Assume breach
Putting in place protective controls that will reduce the likelihood of a successful attack is paramount, such as: regular updates, blocking macros, enabling MFA, backups etc. However, with the increasing sophistication of hackers, especially with advancements in AI, these measures can be bypassed. Additionally, individuals within your organization, whether accidentally or intentionally, can undermine even the most secure environments. This is why adopting an ‘assume breach’ mindset is crucial. By enhancing your focus on detection and response you acknowledge the inevitability of an attack but refuse to be caught off guard. As we know from health and medicine – prevention is often the best cure, but early detection remains vital.
Armed with these three principles, Zero Trust becomes a robust and holistic approach to modernizing your security posture as well as preparing your organization for AI adoption.
Adapting to Changes: What Should We Do?
The modern worker expects to have access to an abundance of digital and physical assets. While this enhances collaboration, knowledge production, and mobility, it also necessitates a security model that takes this growing digital estate into account. The following ‘functional’ areas are found in every organization:
- Applications (desktop or cloud-based)
- Networks (home, office, roaming)
- Identities/credentials (cloud or on-premise)
- Endpoints (desktops, laptops, BYOD, mobile phones)
- Data (files, databases, applications)
- Infrastructure (on-site servers, cloud, networking devices)
To protect these functional areas, the first step is to evaluate your current maturity level. At CSP, we utilize an assessment tool that scans the Microsoft cloud ecosystem, delivering a device maturity score and setting out a detailed Zero Trust roadmap.
We decided this initial report was such a valuable tool, we now offer it free of charge to both the NFP and education sectors. From day one, the continuous alignment with this framework has been integral to our managed service offering which underscores just how important we believe this framework is to building the type of resilience our partners deserve.
Our Zero Trust adoption guidance builds a Zero Trust strategy and architecture across these five business scenarios (each scenario has four maturity stages):
- Rapidly modernize your security posture
- Secure remote and hybrid work
- Identify and protect sensitive business data
- Prevent or reduce business damage from a breach
- Meet regulatory and compliance requirements
Zero Trust and AI: Enhancing Security?
In Microsoft’ Copilot Get Ready E-book, Zero Trust is considered as essential component of an organizations AI readiness strategy:
“The Zero Trust model forms a crucial foundation for the use of Copilot and AI in the corporate context. In an era where data is both a valuable resource and a potential security risk, Zero Trust’s “never trust, always verify” philosophy guarantees the security and integrity of data, which is essential for AI applications like Copilot. By continuously checking every access attempt on the network, Zero Trust ensures that only authenticated and authorised requests are processed, creating the basis for the secure and effective use of AI technologies in
the company. Microsoft supports the implementation of the Zero Trust model with its robust security solutions and services.”
By adopting a Zero Trust framework, organizations can create a secure foundation before starting their AI initiatives and ensure that they are ready to leverage AI technologies effectively and safely.
If you need assistance with your Zero Trust journey please reach out to us anytime at info@csp.global
References:
Smoother Zero Trust with Microsoft and NIST | Microsoft Security Blog