By Chris Green
Nearly 4,000 cybersecurity professionals weighed in and 55% feel Zero Trust is the most impactful to keep organizations secure.
The debate over the most effective form of access control has been waging for as long as computers have had individual logins. Whether its passwords, two-factor authentication, location-based authentication, password-less login – the debate is split. Or is it?
In a survey conducted by (ISC)² on LinkedIn ahead of World Password Day revealed the extent to which zero trust policies are being embraced as part of stricter authentication practices. The poll of nearly 4,000 cybersecurity professionals revealed that 55% consider a zero trust policy to be the most impactful thing they can implement to keep their organizations secure.
This was followed by multi-factor authentication (27%), role-based access control (14%) and password-less technology (4%).
Zero trust is considered a good security approach because it operates on the assumption that no user or device should be trusted by default, regardless of their location or credentials. This approach requires all requests for access to resources to be verified and authorized before being granted. This is done by enforcing strict access controls, monitoring all network activity, and continually verifying user and device identities.
The zero trust approach assumes that attackers may already be present inside the confines of a network, or may be able to bypass traditional perimeter defenses such as firewalls. By implementing strict controls on all access to resources – whether the requester is known or otherwise – zero trust limits the attack surface and minimizes risk.
But is zero trust the answer to the problem. One commenter on the survey, cybersecurity consultant Aoife Noone noted that “it all depends on the organization and its security requirements, budgets and capabilities. Reality is there isn’t one ‘most’ effective control, many must be applied and there are lots of cost-effective ways to do the simple things right.” Noone added that “it will cost companies a lot more if they fall victim to an attack. It’s all a balancing act depending on a company’s cyber requirements. Risks vs Cost!”
And while many pointed out that rather than a single approach, it’s healthy to be using all of them, zero trust remained a constant through most of the discussion.
“All of these [options] combined under the zero trust banner really is where I would put my eggs. All of these things are necessary and should be done to lay the groundwork for a zero-trust architecture,” said Jeff Bothel, CISSP, CCSP, a cloud security engineer.
The point was also made by several participants that zero trust is a flexible approach that can be implemented across both on-premise and distributed working environments to protect systems and digital identity alike. This makes it well-suited for today’s remote workforce scenarios with users wanting access from far outside the ‘castle walls’, often from unknown connection points.
However, security engineer Bob Galley, CISSP, made the point that the suitability and success of zero trust is not always about the physical locations being defended, it’s about the people. “A zero trust policy is all well and good, but policies need to be supported by procedures that employees are willing to follow, and your business management/HR/legal [teams] are willing to enforce.”