What is Zero Trust? What is it not? Many providers now use the term for marketing purposes and dilute its true meaning. It’s actually quite simple.
"Zero Trust" has become a popular marketing buzzword in IT security. Many providers use this term to make their products and services more appealing. They want to imply that their solutions meet the latest and best security standards. However, this can lead to a false sense of security for customers who purchase such products. They may feel completely secure but might overlook existing vulnerabilities or pay for features they don't need.
What Zero Trust does for increased security
This is not meant to be a criticism of Zero Trust itself. It has many advantages and represents a long overdue departure from the outdated perimeter model. Zero Trust continuously verifies users and devices regardless of their location, and it offers significantly higher security than models that consider a firewall at the outer edge of the network to be the most important protection.
However, the positive reputation of Zero Trust has motivated some producers to differentiate themselves from the competition by adding new features (referred to as "Featuritis"). In the worst-case scenario, this results in superficial, incomplete, and overpriced security measures. Therefore, let's begin by taking a step back and examining the key security principles of Zero Trust:
- Continuous verification: Instead of trusting once as in the perimeter model, every access request must be continuously verified and authenticated. This includes the identity of users and devices and – more importantly – the context of the requests.
- Principle of least privilege: Users and devices are only granted the access rights they need to do their work. This reduces the risk that hackers or malware will misuse a compromised account or device as a starting point for further attacks.
- Consistent encryption: Assuming that no connection on the network is secure, all data in transit is end-to-end encrypted. SSL/TLS is used for web traffic and virtual private networks (VPNs) are used for long-distance connections. Even data on storage media that is in sleep mode is consistently encrypted with modern and best practices.
- Micro-segmentation: The corporate network is divided into smaller, isolated segments to prevent lateral attack from a potentially infected system to other parts of the network.
- Comprehensive logging and monitoring: All activities must be continuously monitored, logged, and analyzed to detect unusual or suspicious behavior at an early stage. This allows for a quick response.
- Device security: Every client that wants to access the network needs trustworthy and comprehensive protection. This includes compliance with security policies and current updates for all operating systems and applications used.
- Application security: All applications and services must be designed and operated in such a way that they are configured securely. Access must be strictly controlled and monitored, which minimizes vulnerabilities and potential attack vectors.
- Adaptive security checks: All security measures taken must adapt dynamically and in real-time to the context and current risks. This leads to continuous optimization of security and adaptation to new threats.
What security features go beyond Zero Trust
Additional security functions can be useful in certain environments but are not part of the Zero Trust model and do not meet its very specific requirements. This also applies to classic perimeter firewalls, which still have their place. Another example is classic antivirus software that focuses on detecting and eliminating malware, but does not offer the comprehensive access controls and continuous checks that the Zero Trust model provides.
Other functions that also do not belong to the Zero Trust model are, for example, intrusion detection systems (IDS), which monitor the network but do not act proactively or reactively. Even a VPN without additional security measures does not comply with the Zero Trust concept if it does not include continuous and adaptive security checks. Therefore, it is important to ensure that the VPN complies with the Zero Trust principles.
SIEM (Security Information and Event Management), Secure Boot or telemetry are also not among the necessary components of a Zero Trust Core solution, as some providers suggest in their advertising.
How inadequate products are decorated with the Zero Trust label
Apart from the buzzword effect, there are other reasons why Zero Trust is misused for marketing purposes. For example, Zero Trust has no uniform standards or certifications. This makes it difficult to assess and measure compliance with its principles objectively. Providers and manufacturers can, and often do use the term flexibly and sometimes misleadingly.
To make matters worse, Zero Trust is a complex and comprehensive security concept that encompasses a variety of technologies and practices. This makes it easier for marketing departments to single out and overemphasize individual aspects without giving a complete picture. This also allows products to be marketed with the Zero Trust label, even though they only include some aspects of the overall concept. Some suppliers want to gain a competitive advantage by presenting their products as secure and state-of-the-art.
Customers can avoid the trap if they:
- remain critical of marketing slogans and question technical details
- ask about specific examples of how Zero Trust has already been implemented in a product or service
- review independent assessments and certifications to better assess the credibility of Zero Trust claims.
Would you like to dive deeper into Zero Trust? Our blog post "What role do SASE and SSE play in a Zero Trust concept" sheds light on the connection between Zero Trust and security concepts such as SASE, ZTNA, and SSE. Or simply contact us to find out how NCP VPN enhances any Zero Trust concept.
Read now: "What role do SASE and SSE play in a Zero Trust concept?"