The road to Zero Trust

The road to Zero Trust not necessarily paved with gold

As discussed in my first article in this series, whilst Zero Trust must be the goal, there are a few potholes to navigate on the journey. Let me expand slightly more on these caveats, but also expose the greatest ally of Zero Trust.


Paul Meyer.


Peer to peer (P2P) technologies – prevalent in the late 1990s and very popular at that time – present another challenge in the road to Zero Trust.  These technologies were widely used across enterprise workforces and are known to be inadvertently capable of counteracting the principles of Zero Trust, particularly in Windows 10. Unless stringent Windows update sharing configurations are in place, P2P settings in this environment can inadvertently enable unauthorised lateral movement, exposing sensitive data.

Another potential weak point for Zero Trust implementations is the adoption of mesh network technology, where the trust model is built on keys or passwords and thus lacking the dynamic authentication necessary for robust Zero Trust setups.  Relying entirely on keys or passwords for access has been proven to be unsuccessful – all one has to do is to look at recent high profile breaches that highlight the hazards of this approach. Such protocols can easily be exploited by today’s highly tech savvy cyber criminals who appear to gain unrestricted access to sensitive resources with ease.

The ever expanding attack surface

Above are just some of the stumbling blocks to the implementation of Zero Trust, and if one adds the endpoint explosion through the internet of everything, the challenges are exponentially multiplied. For example, IoT is a major consideration for industries that already use a huge number of connected devices in their daily environments, as well as industries where this change is imminent.

There is not enough scope in this article to continue ad nauseam to outline the hurdles, and yet reveal how all can be conquered. But before I move to the positive, I must briefly touch on the all-important matter of regulatory compliance. New requirements are constantly emerging as legislators  struggle to keep pace with the latest trends and technologies, but the bottom line is that enterprises must also keep pace or risk the consequences of cyber breaches, namely reputational damage, hefty fines and operational downtime.

If, in reading this you are throwing your hands in the air and wondering just how much more difficult implementing Zero Trust can be, let me relieve some anxiety by noting that organisations tackling endpoint explosion can look to the cloud as a Zero Trust ally. Critical data can be taken off the endpoint and put in the cloud, making it impossible for cyber criminals who cannot get information from the endpoint if it is not there in the first place.

Connecting to the cloud can provide better protection and visibility into traffic as it replaces connecting to head office, for example for remote employees. Zero Trust can be enforced through the cloud without inserting a firewall in front of every resource. This approach reduces the opportunity for attack as it simplifies the architecture.

The only certainty is change

Just as technology constantly changes, cybersecurity also continually evolves. The sophistication of technology change keeps pace with that of cyber threats, with risk escalating in step with the amount of data requiring protection. As you are no doubt aware, we are creating more information than we ever have before, and conversely, less than we will in the future. This is where the cloud comes into the picture again.

The consumer space well and truly embraced the cloud, using it to store data about their entire lives – including their most sensitive personal information. Although businesses have been somewhat slower to adjust, there are changes in this pattern as companies are seen to be adopting the cloud en masse with 94% of enterprises utilising at least one cloud service and an estimated 83% of all enterprise workloads said to be in the cloud.

So, while the cloud has disrupted traditional cybersecurity, it has great ability to enable Zero Trust security in the era of information overload. It is only in the cloud that big data and analytics can be leveraged over huge networks of endpoints to predict and manage threats in real time. Only the cloud can be updated effortlessly and automatically with the latest security upgrades, keeping it a step ahead.  The more pervasive cloud becomes, the better it can mobilise to confront threats as soon as they emerge.

In conclusion

The path to Zero Trust is challenging, but with a clear vision, strong partnerships, and a commitment to security excellence, organisations can fortify defences against the relentless tide of cyber threats. To do this, businesses must embrace cutting-edge solutions that align seamlessly with their changing security needs, enabling them to remain resilient in the face of ever-evolving cybersecurity threats.

Written by: Paul Meyer, Security Solutions Executive, iOCO

Originally featured here