Cybersecurity breaches continue to plague businesses, casting doubt on the effectiveness of even one of the most lauded security models — the Zero Trust approach.
As of 2023, a lot of businesses embraced the zero trust architecture, with Okta reporting a 61% adoption rate. The Zero Trust approach is often summarized as “verify everything, trust nothing”, and is built on the premise of treating all access requests in a system as potential threats.
This means every attempt to access resources must go through rigorous authentication and authorization processes, with continuous validation throughout the session.
Despite the promise, Gartner predicts that more than 50% of organizations will fail to realize Zero Trust’s benefits by 2026.
To understand why Zero Trust is failing and how organizations can maximize their ROI, Techopedia sat with Brian Soby, CTO and co-founder of AppOmni.
Key Takeaways
- Cybersecurity breaches persist despite the growing adoption of Zero Trust security models.
- As of 2023, 61% of businesses have embraced Zero Trust, which treats all access as potential threats.
- Many organizations fail to implement a coherent end-to-end Zero Trust architecture, leaving critical gaps.
- Gartner predicts over 50% of companies will not fully realize the benefits of Zero Trust by 2026.
- Achieving Zero Trust ROI requires covering all components and ensuring seamless integration across the system.
About Brian Soby
Brian Soby is a technology and security professional with 20 years of experience spanning products, applications, and security. He has worked in defense, FinTech, and Software-as-a-Service (SaaS) at both large and small companies including Raytheon, MITRE, and Salesforce.
Soby then started a consultancy focused on SaaS security, before co-founding AppOmni, a SaaS company.
He earned a BS in Computer Science from Eckerd College, an MS in Information Assurance from Northeastern University and an MBA from the University of California, Berkeley, Haas School of Business.
Why Zero Trust is Failing
Q: Last year, we witnessed a surge in the adoption of Zero Trust security frameworks in many organizations. Yet we still have a high number of data breaches. Do you think there is a missing piece somewhere where Zero Trust has failed?
A: Undoubtedly, many organizations had high-profile zero-trust projects and implemented portions of Zero Trust. However, what the majority of organizations failed to do was create an end-to-end and coherent Zero Trust architecture.
We’re now seeing the inevitable result of partially implemented Zero Trust architectures that overlook critical pieces of our real-world risks or can simply be sidestepped by the bad guys because of their huge gaps.
They say that a chain is only as strong as its weakest link, but we haven’t even put a Full Zero trust chain together yet and only have a few disconnected segments.
What Makes Up a Zero Trust Security Architecture
Q: Like many other tech innovations, vendors have productized the concept of Zero Trust, leading to misconceptions and confusion. What exactly makes up a good model?
A: There are key security principles that must be applied at every component to create an effective Zero Trust architecture. No single product covers everything, and snake oil alarms should be going off in anyone’s head being sold a full zero trust solution that has superficial or simply missing coverage of major components of their business workflow.
The principles of zero trust include:
- No implied trust for users, systems, networks, etc.
- Continuous security
- Dynamic controls and policies to respond to changes and activities within the system
- Least privilege and granular authorization
- Creating an end-to-end architecture
Every time I see another company in the news for a security breach, I think about these principles and it’s usually clear what was missed in a security architecture that allowed the breach to happen.
While business units and departments are now custodians of critical data and administrators of critical business processes, they often do not know the length and breadth of the systems their data is connected to.
We see snatch-and-grab thefts of data that was simply sitting in systems misconfigured by a business unit to expose it to the world.
More recently, we saw a breach of Snowflake customers where the attackers just bought stolen credentials and logged into customer instances from highly questionable locations using obviously malicious applications.
A big payday for an attacker doesn’t really get easier than that, despite the fact that many of these organizations likely thought their “Zero Trust” projects like Secure Access Service Edge (SASE), Endpoint Detection and Response (EDR), or Single Sign-On (SSO) had protected them from these threats.
So, what’s missing is coherence and coverage of components within Zero Trust architectures, and bad guys are walking right through the huge gaps that companies are leaving.
Keeping Your Zero Trust Model Up to Date
Q: The cybersecurity landscape is always evolving. How can organizations keep their ZT architecture up to date?
A: This is where organizations need to lean on their security vendors. It’s not reasonable for companies to have deep security expertise and time investments in every bit of technology they may use.
At some point, you need to trust that your EDR client will effectively detect malware on your endpoints, that your SSO is properly authenticating users, that your ZTNA is properly authorizing and transporting users to applications, and that your SaaS security posture management (SSPM) is properly securing the applications themselves.
Then these components need to work together to achieve the granular, end-to-end, and dynamic architecture required by Zero Trust. If your components aren’t talking to each other, you’re not getting the best solution.
How to Measure Zero Trust ROI
Q: One of the cons of adopting the zero trust model is the high cost of implementation. How can organizations measure their ROI?
A: Unfortunately, companies will have a hard time realizing the value of their existing or potential Zero Trust investments without plugging the holes and creating a coherent and end-to-end architecture.
Let’s take a critical infrastructure example from the physical security world. If you’re protecting a power substation and you build a strong perimeter, monitoring, and gates around 75% of the substation, you usually don’t get 75% of the value.
You probably get 5% of the value since it’s just a slight inconvenience to the bad guy to pivot to the open and vulnerable section. This is exactly what we’re seeing with these incidents.
Attackers are simply pivoting to the common gaps in organizations’ security and zero trust.
For example, the very best single sign-on, hardware multi-factor authentication, VPNs, Endpoint Detection and Response, etc would have provided very low-security value in the attack of Snowflake customers since it was all optional, according to their Snowflake instances, and therefore trivially bypassed.
In order to achieve any real ROI for those investments, customers first needed to include Snowflake into their ZT architectures such that these investments were mandatory for an attacker to face.
It’s the same story for any other missing components or unapplied principles. Zero Trust simply isn’t a security strategy that can be implemented partially and expect any meaningful ROI.
Achieving End-to-End Zero-Trust Architecture
Q: How can organizations achieve the end-to-end and dynamic architecture required for zero trust to work?
A: It all boils down to covering everything from your users and their devices all the way through their destinations and then having all of your Zero Trust components talking to each other.
Most of the approaches we see today are very good at covering devices, very good at Zero Trust Network Access (ZTNA) and traffic inspection (for corporate users), but are marginal at user risk because they’re missing a lot of context around granular access and activities, and are poor at covering what’s happening at the destination applications and their configurations.
To achieve the end-to-end zero trust requirement, we need to fill in the missing user context and cover the destinations. To fill in the missing user context, you can cover all of your users instead of just your corporate users and then understand what everyone can and is doing in the applications.