Debanjali Ghosh, the Technical Evangelist at ManageEngine, says companies are adopting various technologies to improve their security posture and reduce the risk of a breach

How has the Zero Trust Network Architecture evolved since it was first coined in 2010?
Initially introduced as the concept of de-perimeterisation by Jericho Forum in 2003, it has since evolved into the current Zero Trust model, a term coined by Forrester analyst John Kindervag. Today’s Zero Trust Network Access (ZTNA) is a comprehensive approach to network security that goes beyond access control to incorporate advanced threat detection and response capabilities such as behavioral analytics, machine learning, and artificial intelligence.

The increasing adoption of cloud-based ZTNA solutions has provided organizations with greater scalability, flexibility, and cost-effectiveness compared to traditional on-premise solutions, allowing them to extend their security perimeter to cover all their devices, applications, and services. The continuous improvement of Zero Trust has evolved beyond micro-segmentation and software-defined perimeter into adaptive identity-based security solutions.

Do you believe that technologies that support zero trust are moving into the mainstream?
The Zero Trust security model, which relies on several key technologies including MFA and IAM is becoming increasingly mainstream. As organizations recognize the need for stronger security measures to protect their data and systems, many. In addition, many vendors are now offering Zero Trust solutions and integrating Zero Trust principles into their products. As the threat landscape continues to evolve, it is likely that Zero Trust will become even more widely adopted in the coming years.

Do you believe that enterprise IT departments today require a new way of thinking because the castle itself no longer exists in isolation as it once did?
The traditional idea of an enclosed network within a building is no longer applicable due to recent trends such as cloud computing, IoT, BYOD, and hybrid work. These trends have brought new threats, making traditional security perimeters inadequate for comprehensive network security. With hybrid work, security professionals need to change their approach towards perimeter-based security models, where everyone within the corporate perimeter is trusted by default.

Zero Trust emerges as a solution to this problem. The Zero Trust security model considers all resources as untrusted and requires strict authentication for access. In this model, trust is based on fine-grained access control and contextual authentication, ensuring that all inbound traffic and systems are authenticated before access is granted.

How can companies get started with zero trust?
The enterprise should decide on the migration strategy depending on its current cybersecurity posture. Most organizations do not realize that they already have elements of Zero Trust in their security infrastructure. The enterprise needs to have complete information about its resources and infrastructure to align with the tenets of Zero Trust. The enterprise has to identify the workflows and then map their transaction flows.

One of the foundational elements of zero trust is identity and access controls. Companies can start by implementing multi-factor authentication, role-based access controls, and continuous authentication to ensure that only authorized users have access to critical data and assets. The Zero Trust journey begins by adhering to the principles, building the infrastructure, and putting in place the components required for the enterprise’s secure operation.

Industry experts have warned that cyber-attacks will be focused on techniques that zero trust controls can’t mitigate. What according to you can be done to address this?
Zero trust controls provide a robust foundation for network security, but a comprehensive and adaptive approach is required for complete protection against all cyber threats. To enhance security, organizations must adopt a multi-layered approach that includes advanced threat detection and response capabilities such as behavioral analytics, machine learning, and artificial intelligence. Regular testing and evaluation of security controls are necessary to ensure they function correctly.

What, according to you, are the limitations of zero trust?
The Zero Trust security model can help reduce the risk of cyberattacks, but the complete elimination of risk is not realistic. There are challenges to implementing Zero Trust, such as policy gaps created by legacy solutions. Proper training of cybersecurity professionals is necessary to configure and monitor the policy engines. Denial-of-Service attacks can disrupt enterprise operations by blocking traffic to policy enforcement points.

Attackers target metadata stored by security analytic solutions to gain insights into the enterprise architecture. Zero Trust architecture relies on artificial intelligence and software-based agents, but authentication of these components is an issue. Attackers can launch botnet attacks by gaining access to software agent credentials.