"what other potential security concepts those people and companies are also missing out on"
I'm sure we'll find out soon, what with all the Russian miscreants on the keyboard warpath these days.
When we published the questions for this survey, our view was that zero trust, or ZT, has finally begun to become a thing – as a real technology in real companies. Now we have the results from more than 500 respondents, though, has it turned out that we're right? See for yourself below. We started gently with a have-you-heard …
Zero Trust is great in principal but in releatiy it's a lot of preparation and also the risk that you are going to block a lot of devices that currently have access to your network.... Which in normla times would be Ok because you would have access to the devie in question, it would be somewhere in your building BUT with Home Office everything quickly becomes impossible to implement.....
It's a problem looking for a solution that has been found but that cannot be put into production....
Have just rolled out zero trust (ThreatLocker) to around 480 endpoints consisting of around ~30 clients as a 'litmus test'. (MSP).
The 'learning period' for the software, whilst it scans frequently used software and behaviour coupled with preparation, and working with the vendor is absolutely essential. It's incredibly logical to configure no matter the platform and it's not quite as scary as most sysadmins think. Once you've got a set of baseline policies, most can be applied across your entire client-base and the more you do, the larger the definitions and policies for ZT get and the slicker it becomes.
Already in the first month we've caught 7x attempted cryptolocker infections that *MAY* have been caught by Sophos Intercept X previously, but TL definitely did. Most ZT solutions incorporate some sort of auto-elevation by policy, to allow software like Office, Sage, LOB software, etc to obtain temporary elevation without having to make people local admin, so it's an added bonus for our helpdesk.
"The 'learning period' for the software, whilst it scans frequently used software and behaviour coupled with preparation, and working with the vendor is absolutely essential."
So, far from being zero trust, you've actually implicitly trusted one system which you've given access to everything? In a well configured environment that thing wouldn't have access to scan anything since traffic would be encrypted and it wouldn't have the credentials or network access to get onto any systems.
That's the entire point of Zero Trust.. you have to put your faith in SOMETHING to perform it. It's installed on all endpoints and all server(s), has the ability to allow an application to run, but 'ringfencing' it's capability to run outside it's own environment/sandbox.
For instance, you can allow 'Sage_Accounts_v27.8_Update.exe' to launch & communicate with the necessary Sage IP addresses, for acrtivation, etc - To write to the C:\Program Files\Sage\* directory but block it from doing anything outside those specific parameters. Traffic, whether encrypted or not encrypted, is only allowed out if you explicitly allow it.
It's no different to implicitly trusting Sophos, ESET, Webroot, et al - With the same role, except ZT functions in a completely different manner.
Finally, we asked about vendors that people don't already use. A whopping 32.2 per cent fessed up that they knew nothing about any vendors' offerings, while 257 – almost exactly half of those who responded – claimed a "limited" knowledge
If you believe a tool is an answer for security, you're wrong.
Zero trust should really be called 100% trust.
You need to 100% trust your CPU (code running on the Intel ME can not be audited, neither can code running on the AMD PSP - both of which have read/write access to all RAM and network traffic).
You also need to 100% trust your TPM (Trusted Platform Module, designed by all US based companies - AMD, Hewlett-Packard, IBM, Intel, Microsoft - that legally must obey all Foreign Intelligence Surveillance Court orders with gagging). That when initialised in the factory with with the Endorsement Primary Seed (EPS) which is typically hardcoded (because it is cheaper), that no "backup" copy was kept.
The Zero Trust model is good, but the foundation it is built on has a lot of unfounded implicit trust.
The term is already being perverted in the industry. Places want to do Single Sign On and Zero Trust to be fully buzzword compliant.
Another meaningless term now is "Air Gapped." Apparently acceptable use somehow now means firewalled with all inbound connections disabled to the specific host rather than the "No network at all" like it used to mean. I've seen the term used to describe a host on a typical office LAN where other hosts have inbound traffic allowed.
> Another meaningless term now is "Air Gapped." ... somehow now means firewalled
> with all inbound connections disabled to the specific host
WTF? I get how complex technical terms can be misunderstood or subverted, but it is hard to understand how anyone can subvert such a clear physical concept.
Problem with ZT is that The premise is that I.T. has ZT in the end user's device, so basically wants to control it (install Agent/Apply Policy/Monitor security) but the end user has ZT in I.T. to allow them to install the agent/apply the policies without impinging on their freedoms.
Same battle as Gov would have by insisting all cars have black boxes to enforce road pricing?
It's not the end users device it's the company's device. The end user has no freedom in regards to policies, approved applications and so on it is all at the companies discretion. Any deviation from the approved standards must have a solid business case to support it*
*Unless there is BYOD policy in which case the company deserves all the pain coming their way
I think the problem IT security has, at least in getting budgeted, is this: It can be a difficult sell to the bean counters. Yes, a brand new security system will protect a company's infrastructure, but the existing system should be doing that, so why would they pay for something that does what they have a system for anyway? Yes, you can talk about detection statistics and methods, but that talk may well confuse the person you are talking to. It may also bore them slightly, in which case they are less likely to listen. Even if they do listen, it's not going to engage them as much as something that will provide what they consider a significant benefit to the business. Perhaps an increase in sales, or an increase in efficiency or profits.
The problem is, while you can argue that someone might break into the system, and if they do, the company might lose money (or reputation, and therefore money) they can dismiss that as "might" meaning it probably won't. There may or may not be a break in, but I think the risk it might happen is worth spending money to prevent it. After all, you could argue that the fact your office probably won't be broken in to is a good reason not to buy locks for the doors, but no one would seriously argue that.
I think the main problem IT security has from a budget perspective is that for any company with X turnover, the minimum cost to properly secure it's systems turns out to be 1.5X annually.
And this then comes with a bunch of caveats on top: If a nation state actor targets you, it doesn't matter how much you spent cos they will get you anyway; productivity will be reduced by X% because it turns out half the company are cutting corners just to achieve their current targets; it's all ultimately futile anyway because so-and-so on the board will insist on emailing everything to his personal gmail account regardless and is too senior to overrule.