Adopting zero trust is no fail safe against cyberattacks. Attackers are constantly finding new ways to get around zero trust, and this often happens because not everything within the organization environment was considered when employing zero trust. Among the overlooked risks are legacy systems, unmonitored IoT devices, or privileged access abuse.
Zero trust is a cybersecurity paradigm–a philosophy, really–in which every user, every device, every message is considered to be untrusted unless proven otherwise. It’s an alternative to the old perimeter-based approach, where things on the outside were untrusted, and things inside corporate networks were automatically considered trustworthy. In other words, enterprises had a hard shell and a soft, gooey center.
In an era where the perimeter is everywhere, where employees are as likely to be at home as at the office, where computing resources are spread among multiple data centers, clouds, and other third parties, the old approaches no longer work. Zero trust is the modern answer to this problem. And everyone is on board. According to an Okta survey of 700 companies released 2022, 55% of organizations already had a zero trust initiative in place–up from 24% in 2021–and 97% planned to have one in the coming 12 to 18 months.
Zero trust isn’t a cure-all. According to Gartner, through 2026, more than half of cyberattacks will be aimed at areas that zero trust doesn’t cover and can’t protect against. “There are two big issues with zero trust. One is scope, like legacy technology, or shadow IT. A second big issue is that there are attacks that bypass zero trust controls,” says Gartner analyst John Watts.
Companies are slow to deploy zero trust
Only 19% of organizations have already implemented zero trust, according to a Cybersecurity Insiders survey of 400 IT and cybersecurity professionals in the US released in March. Meanwhile, 30% said that projects are underway, and 38% said that they’re still in the planning stages. These estimates may be overly optimistic. According to Gartner, fewer than 1% of organizations have a mature and measurable zero trust program in place, and only 10% will have one by 2026.
Even when zero trust has been rolled out, it doesn’t mean that all security issues have been solved. Zero trust has several blind spots, including legacy systems that weren’t designed for zero trust, privileged users doing things they shouldn’t, unmonitored IoT devices, third-party systems, and, of course, the ongoing problem of change management.
5 areas where zero trust alone won’t protect organizations
1. Legacy systems
Not all systems and applications are easily updated to zero trust principles. Many legacy systems, for example, just don’t have what it takes. Insurance broker PIB Group was founded just seven years ago but since then it has acquired 92 other companies, most of them other insurance firms. It went from 12 employees to 3,500. “We’re acquiring a lot of platforms, and they’re written by their cousin who’s gone off to another job and isn’t supporting them properly,” CISO Jason Ozin tells CSO.
Even the company’s current HR system won’t support zero trust, Ozin says. “It won’t even support two-factor [authentication]. It will support username and password. It will support IP whitelisting.” But IP whitelisting isn’t very useful when everyone is working from home or another remote location.
The company is about to switch to a new HR system, but other systems aren’t as quickly replaceable. Until they are, Ozin has a workaround in place. “What we can do is put a zero-trust wrapper around it. You’ll be authenticated. Are you coming from a location we recognize? Are you using two-factor?” Once the authentication is handled, only then will the wrapper pass the traffic to the legacy system. The legacy system–for example, the current HR system–will check the IP address to make sure it’s coming from the zero-trust platform. Some legacy systems are so awful that they don’t even have a username and password, Ozin says. “But nobody can get to it except through the gatekeepers.”
The pandemic was a major motivation to moving to zero trust, as was the company’s rapid growth, though the pandemic was over by the time PIB began rolling out zero trust. “My plan is to get rid of every single legacy system we’ve got,” says Ozin. “But, in reality, that’s never going to happen. In six years’ time it wouldn’t surprise me if I’m still running it.”
But it takes resources and money to upgrade everything. “We’ve decided to do it on certain high-risk items to start with,” he says.
2. IoT devices
Ozin says there are loads of IoT devices in the organization, “I’ve got IoT I don’t even know about.” This is a problem, especially when, for example, a local office decides to put in a door entry system without talking to anyone first. “They’re installing it, and the guy says, ‘Can I get the WiFi access key to the network?’ And someone might give it to them,” says Ozin.
Without zero trust on all the WiFi gateways, the company is using a workaround–a separate network for unapproved devices that doesn’t have access to any corporate data. PIB also has tools in place that lets them do audits to make sure that only approved devices are connected to the main network.
Gartner’s Watts agrees that IoT and OT can pose security challenges for companies. “It is more difficult to implement a zero-trust posture for those devices and systems. They have less assurances for identity.” If there’s no user, then there’s no user account, he says. “There’s no good way to authenticate if something should be on the network. It becomes a difficult problem to solve.”
Some companies will exclude IoT and OT from their zero trust scope because they can’t address this problem, Watts says. Some vendors, however, will help companies secure these systems, he says. In fact, Gartner has published a market guide for securing cyber-physical systems that includes Armis, Claroty, and Dragos. “But once you implement these technologies, you have to put more trust in the vendors. If they have their own vulnerabilities and challenges, attackers will find a weakness,” Watts tells CSO.
3. Privileged access
The insider threat risk is a problem for all companies. Zero trust won’t help in cases where a privileged insider may have valid permission to access sensitive resources, because this employee is trusted.
Other technologies can reduce the risk, says Ozin. “Someone might have all the privileges but are they suddenly on the internet at 3 am? You can put behavioral analytics next to the zero trust to catch that. We use that as part of our EDR [endpoint detection and response] and as part of our Okta login. We also have a data loss prevention program–are they doing 60 pages of printing when they don’t usually print anything?”
Insider threats are a major residual risk after zero trust controls have been implemented, says Gartner’s Watts. In addition, trusted insiders can be tricked into leaking data or allowing attackers into systems by social engineering. “Insider threats and account takeover attacks are the two risks that remain in a perfect zero trust world,” he says.
Then there’s business email compromise, where people with access to company money are fooled into sending the funds to the bad guys. “A business email compromise could be a deep fake that calls a member of the organization and asks them to wire money to another account,” says Watts. “And none of that actually touches any of your zero trust controls.” To deal with this, companies should limit user access so that if they are compromised the damage is minimized. “With a privileged account, this is difficult,” he says. User and entity behavior analytics can help detect insider threats and account takeover attacks. The key is to deploy the technology intelligently, so that false positives don’t stop someone from completely doing their job.
For example, anomalous activity could trigger adaptive control, like changing access to read-only, or blocking access to the most sensitive applications. Companies need to ensure that they don’t give too much access to too many users. “It’s not just a technology problem. You have to have the people and processes to support it,” Watts says.
According to the Cybersecurity Insiders survey, 47% say that overprivileged employee access is a top challenge when it comes to deploying zero trust. In addition, 10% of companies say that all users have more access than they need, 79% say that some or a few users do, and only 9% say that no users have too much access. A Dimensional Research study, conducted on behalf of BeyondTrust, found that 63% of companies reported having identity issues in the last 18 months that were directly related to privileged users or credentials.
4. Third-party services
CloudFactory is an AI data company with 600 employees and 8,000 on-demand “cloud workers.” The company has fully adopted zero trust, the company’s head of security operations Shayne Green tells CSO. “We have to, because of the sheer number of users we support.”
Remote workers sign in with Google authentication through which the company can apply its security policies, but there’s a gap, Green says. Some critical third-party service providers don’t support single sign-on or security assertion markup language integration. As a result, workers can log in from an unapproved device using their username and password, he says. “Then there’s nothing to stop them from stepping outside our visibility.” Technology vendors are aware that this is a problem, according to Green, but they’re lagging and they need to step up.
CloudFactory isn’t the only company to have a problem with this, but vendor security issues go beyond what authentication mechanisms a vendor uses. For example, many companies expose their systems to third parties via APIs. It can be easy to overlook APIs when figuring out the scope of a zero-trust deployment.
You can take zero trust principles and apply them to APIs, says Watts. That can lead to a better security posture–but only to a certain extent. “You can only control the interface you expose and make available to the third party. If the third party doesn’t have good controls, that’s something you typically don’t have control over.” When a third party creates an app that allows their users access to their data the authentication on the client could be an issue. “If it’s not very strong, someone could steal the session token,” says Watts.
Companies can audit their third-party providers, but the audits are typically a one-time check or are performed on an ad-hoc basis. Another option is to deploy analytics which can give the ability to detect when something being done is not approved. It gives the ability to detect anomalous events. A flaw in an API that is exploited might show up as one such anomalous event, Watts says.
5. New technologies and applications
According to a Beyond Identity survey of over 500 cybersecurity professionals in the US this year, handling new applications was the third biggest challenge to implementing zero trust, cited by 48% of respondents. Adding new applications isn’t the only change that companies might want to make to their systems. Some companies are constantly trying to improve their processes and improve the flow of communication, says John Carey, managing director of the technology solutions group at AArete, a global consulting firm. “This is at odds with the concept of data trust, which puts barriers in front of data moving around freely.”
That means that if zero trust is not implemented or architected correctly, there might be a hit to productivity, Carey says. One area this can happen is AI projects. Companies have an increasing number of options for creating customized, fine-tuned AI models specific for their businesses, including, most recently, generative AI.
The more information the AI has, the more useful it is. “With AI, you want it to have access to everything. That’s the purpose of AI, but if it is breached, you have a problem. And if it starts disclosing things you don’t want, it is a problem,” Martin Fix, technology director at technology consultant Star, tells CSO.
There’s a new attack vector, Fix says, called “prompt hacking,” where malicious users try to trick the AI into telling them more than they should by cleverly wording the questions they ask. One solution, he says, is to avoid training general-purpose AIs on sensitive information. Instead, this data could be kept separate, with an access control system in place that checks if the user asking the question is allowed access to this data. “The results might not be as good as with an uncontrolled AI. It requires more resources and more management.”
The underlying issue here is that zero trust changes how companies work. “Vendors say it’s easy. Just put in some edge security where your people come in. No, it’s not easy. And the complexity of zero trust is just beginning to come out,” zero trust leader for the US at KPMG Deepak Mathur tells CSO. That’s one big flaw that zero trust never talks about, he says. There are process changes that have to happen when companies implement zero trust technologies. Instead, too often, it’s just taken for granted that people will fix processes.