10 things CISOs need to know about zero trust

Tech stacks that rely on trust make it easy for cyberattackers to breach enterprise networks. Perimeter-based approaches from the past that rely on trust first are proving to be an expensive enterprise liability. Basing networks on trust alone creates too many exploitable gaps by cyberattackers who are more adept at exploiting them. 

Worst of all, perimeter networks by design rely on interdomain trust relationships, exposing entire networks at once. What worked in the past for connecting employees and enabling collaboration outside the walls of any business isn’t secure enough to stand up to the more orchestrated, intricate attack strategies happening today. 

Eliminating trust from tech stacks needs to be a high priority 

Zero Trust Network Access (ZTNA) is designed to remove trust from tech stacks and alleviate the liabilities that can bring down enterprise networks. Over the last eighteen months, the exponential rise in cyberattacks shows that patching perimeter-based network security isn’t working. Cyberattackers can still access networks by exploiting unsecured endpoints, capturing and abusing privileged access credentials and capitalizing on systems that are months behind on security patches. In the first quarter of 2022 alone, there has been a 14% increase in breaches compared to Q1 2021. Cyberattacks compromised 92% of all data breaches in the first three months of 2022, with phishing and ransomware remaining the top two root causes of data compromises.

Reducing the risks of supporting fast-growing hybrid workforces globally while upgrading tech stacks to make them more resilient to attack and less dependent on trust are motivating CISOs to adopt ZTNA. In addition, securing remote, hybrid workforces, launching new digital-first business growth initiatives and enabling virtual partners & suppliers all drive ZTNA demand. As a result, Gartner is seeing a 60% year-over-year growth rate in ZTNA adoption. Their 2022 Market Guide for Zero Trust Network Access is noteworthy in providing insights into all CISOs need to know about zero trust security.      

What CISOs need to know about zero trust 

Targeting the trust gaps in tech stacks with ZTNA is delivering results. There are ten areas that CISOs can focus on to make progress and start closing more gaps now, based on the insights gained from the Gartner market guide and research completed by VentureBeat:

• Clean up access privileges before starting IAM or PAM. Closing the trust gaps that jeopardize identities and privileged access credentials is often the priority organizations concentrate on first. It is common to find contractors, sales, service and support partners from years ago still having access to portals, internal sites and applications. Purging access privileges for expired accounts and partners is a must-do; it is the essence of closing trust gaps. Getting this done first ensures only the contractors, sales, service and support partners who need access to internal systems can get them. Today, locking down valid accounts with Multi-Factor Authentication (MFA) is table stakes. MFA needs to be active on all valid accounts from the first day. 

• Zero trust needs to be at the core of System Development Lifecycles (SDLC) and APIs. Perimeter-based security dominates devops environments, leaving gaps cyberattackers continually attempt to exploit. API breaches, including those at Capital One, JustDial, T-Mobile and elsewhere continue to underscore how perimeter-based approaches to securing web applications aren’t working. When APIs and the SDLCs they support to rely on perimeter-based security, they often fail to stop attacks. APIs are becoming one of the fastest-growing threat vectors, given how quickly devops teams create them to support new digital growth initiatives. CIOs and CISOs need to have a plan to protect them using zero trust. A good place to start is to define API management and web application firewalls that secure APIs while protecting privileged access credentials and identity infrastructure data. CISOs also need to consider how their teams can identify the threats in hidden APIs and document API use levels and trends. Finally, there needs to be a strong focus on API security testing and a distributed enforcement model to protect APIs across the entire infrastructure. The business benefits of APIs are real, as programmers employ them for speedy development and integration. However, unsecured APIs present a keen application security challenge that cannot be ignored.

3. Build a strong business case for ZTNA-based endpoint security. CISOs and their teams continue to be stretched too thin, supporting virtual workforces, transitioning workloads to the cloud and developing new applications. Adopting a ZTNA-based approach to endpoint security is helping to save the IT and security team’s time by securing IT infrastructure and operations-based systems and protecting customer and channel identities and data. CISOs who create a business case for adopting a ZTNA-based approach to endpoint security have the greatest chance of getting new funding. Ericom’s Zero Trust Market Dynamics Survey found that 80% of organizations plan to implement zero-trust security in less than 12 months, and 83% agree that zero trust is strategically necessary for their ongoing business. Cloud-based Endpoint Protection Platforms (EPP) provide a faster onramp for enterprises looking for endpoint data. Combining anonymized data from their customer base and using Tableau to create a cloud-based real-time dashboard, Absolute’s Remote Work and Distance Learning Center provides a broad benchmark of endpoint security health. The dashboard provides insights into device and data security, device health, device type and device usage and collaboration. Absolute is also the first to create a self-healing ZTNA client for Windows capable of automatically repairing or reinstalling itself if tampered with, accidentally removed or otherwise stopped working – ensuring it remains healthy and delivers full intended value. Cloud-based EPP and self-healing endpoint adoption continue growing. Self-healing endpoints deliver greater scale, security and speed to endpoint management – helping to offload overworked IT teams. A self-healing endpoint has self-diagnostics designed that can identify breach attempts and take immediate action to thwart them when combined with adaptive intelligence. Self-healing endpoints then shut themselves off, re-check all OS and application versioning, including patch updates, and reset themselves to an optimized, secure configuration. All these activities happen without human intervention. Absolute Software, Akamai, Blackberry, Cisco’s self-healing networks, Ivanti, Malwarebytes, McAfee,  Microsoft 365, Qualys, SentinelOne, Tanium, Trend Micro, Webroot and many others all claim their endpoints can autonomously self-heal themselves.

4. Just one unprotected machine identity will compromise a network. Machine identities, including bots, IoT devices and robots, are the fastest proliferating threat surface in enterprises today, growing at twice the rate of human identities. It’s common for an organization not to have a handle on just how many machine identities exist across their networks as a result. It’s not surprising that 25% of security leaders say the number of identities they’re managing has increased by ten or more in the last year. Overloaded IT teams are still using spreadsheets to track digital certificates, and the majority don’t have an accurate inventory of their SSH keys. No single pane of glass can track machine identities, governance, user policies and endpoint health. Machine identities’ rapid growth is attracting R&D investment, however. Leaders who combine machine identities and governance include Delinea, Microsoft Security, Ivanti, SailPoint, Venafi, ZScaler and others. Ericom’s ZTEdge SASE Platform and their machine learning-based Automatic Policy Builder create and maintain user and machine-level policies today. Customer case studies on the Ericom site provide examples of how Policy Builder effectively automates repetitive tasks and delivers higher accuracy in policies. Getting governance right on machine identities as they are created can stop a potential breach from happening. 

5. Consider strengthening AWS’ IAM Module in multicloud environments. AWS’ IAM module centralizes identity roles, policies and Config Rules yet still doesn’t go far enough to protect more complex multicloud configurations. AWS provides excellent baseline support for Identity and Access Management at no charge as part of their AWS instances. CISOs and the enterprises they serve need to evaluate how the AWS IAM configurations enable zero trust security across all cloud instances. By taking a “never trust, always verify, enforce least privilege” strategy when it comes to their hybrid and multicloud strategies, organizations can alleviate costly breaches that harm the long-term operations of any business.

6. Remote Browser Isolation (RBI) is table stakes for securing Internet access. One of the greatest advantages of RBI is that it does not disrupt an existing tech stack; it protects it. Therefore, CISOs that need to reduce the complexity and size of their web-facing attack surfaces  can use RBI, as it was purpose-built for this task. It is designed to isolate every user’s internet activity from enterprise networks and systems. However, eliminating trusted relationships across an enterprise’s tech stack is a liability. RBI takes a zero-trust approach to browsing by assuming no web content is safe. The bottom line is that RBI is core to zero-trust security. The value RBI delivers to enterprises continues to attract mergers, acquisitions, and private equity investment. Examples include MacAfee acquiring Light Point Security, Cloudflare acquiring S23 Systems, Forcepoint acquiring Cyberinc and others in this year’s planning stages. Leaders in RBI include Broadcom, Forcepoint, Ericom, Iboss, Lookout, NetSkope, Palo Alto Networks, Zscaler, and others. Ericom is noteworthy for its approach to zero-trust RBI by preserving the native browser’s performance and user experience while hardening security and extending web and cloud application support.

7. Have a ZTNA-based strategy to authenticate users on all mobile devices. Every business relies on its employees to get work done and drive revenue using the most pervasive yet porous device. Unfortunately, mobile devices are among the fastest-growing threat surfaces because cyber attackers learn new ways to capture privileged access credentials. Attaining a ZTNA strategy on mobile devices starts with visibility across all endpoint devices. Next, what’s needed is a Unified Endpoint Management (UEM) platform capable of delivering device management capabilities that can support location-agnostic requirements, including cloud-first OS delivery, peer-to-peer patch management and remote support. CISOs need to consider how a UEM platform can also improve the users’ experience while also factoring in how endpoint detection and response (EDR) fit into replacing VPNs. The Forrester Wave™: Unified Endpoint Management, Q4 2021 Report names Ivanti, Microsoft, and VMWare as market leaders, with Ivanti having the most fully integrated UEM, enterprise service management (ESM), and end-user experience management (EUEM) capability. 

8. Infrastructure monitoring is essential for building a zero-trust knowledge base. Real-time monitoring can provide insights into how network anomalies and potential breach attempts are attempted over time. They’re also invaluable for creating a knowledge base of how zero trust or ZTNA investments and initiatives deliver value. Log monitoring systems prove invaluable in identifying machine endpoint configuration and performance anomalies in real-time. AIOps effectively identifies anomalies and performance event correlations on the fly, contributing to greater business continuity. Leaders in this area include Absolute, DataDog, Redscan, LogicMonitor and others. Absolute’s recently introduced Absolute Insights for Network (formerly NetMotion Mobile IQ) represents what’s available in the current generation of monitoring platforms. It’s designed to monitor, investigate and remediate end-user performance issues quickly and at scale, even on networks that are not company-owned or managed. Additionally, CISOs can gain increased visibility into the effectiveness of Zero Trust Network Access (ZTNA) policy enforcement (e.g., policy-blocked hosts/websites, addresses/ports, and web reputation), allowing for immediate impact analysis and further fine-tuning of ZTNA policies to minimize phishing, smishing and malicious web destinations. 

9. Take the risk out of zero-trust secured multicloud configurations with better training. Gartner predicts this year that 50%t of enterprises will unknowingly and mistakenly expose some applications, network segments, storage, and APIs directly to the public, up from 25% in 2018. By 2023, nearly all (99%) of cloud security failures will be tracked back to manual controls not being set correctly. As the leading cause of hybrid cloud breaches today, CIOs and CISOs need to pay to have every member of their team certified who is working on these configurations. Automating configuration checking is a start, but CIOs and CISOs need to keep scanning and audit tools current while overseeing them for accuracy. Automated checkers aren’t strong at validating unprotected endpoints, for example, making continued learning, certifications and training needed. 

10. Identity and access management (IAM) needs to scale across supply chains and service networks. The cornerstone of a successful ZTNA strategy is getting IAM right. For a ZTNA strategy to succeed, it needs to be based on an approach to IAM that can quickly accommodate new human and machine identities being added across supplier and in-house networks. Standalone IAM solutions tend to be expensive, however. For CISOs just starting on zero trust, it’s a good idea to find a solution that has IAM integrated as a core part of its platform. Leading cybersecurity providers include Akamai, Fortinet, Ericom, Ivanti, and Palo Alto Networks. Ericom’s ZTEdge platform is noteworthy for combining ML-enabled identity and access management, ZTNA, micro-segmentation and secure web gateway (SWG) with remote browser isolation (RBI).

The future success of ZTNA 

Pursuing a zero trust or ZTNA strategy is a business decision as a technology one. But, as Gartner’s 2022 Market Guide for Zero Trust Network Access illustrates, the most successful implementations begin with a strategy supported by a roadmap. How core concepts of zero trust removing any trust from a tech stack is foundational to any successful ZTNA strategy. The guide is noteworthy in its insights into the areas CISOs need to concentrate on to excel with their ZTNA strategies. Identities are the new security perimeter, and the Gartner guide provides prescriptive guidance on how to take that challenge on.