Otto background

Zero Trust’s Blind Spot

How proactive cyber hygiene preserves the Zero Trust initiative

Like so many IT challenges today, Zero Trust is a lot easier to define than it is to implement. 

Essentially, Zero Trust requires that every entity that might access business data establishes its trustworthiness and permission to do so, every single time it seeks access. Trust is never assumed, and all points of access — mobile devices, desktops, virtual machines, and so on — are monitored and fortified whether they’re internal or external to the company.

An IT security framework in which none of the entities that might access or use business data are assumed to be trustworthy — whether they reside inside or outside the security perimeter. Zero Trust depends on visibility and controls to monitor and protect every device, user, application, and network.

Zero Trust arose a few years ago as a response to today’s diverse cyber threats and quickly changing IT architectures. As mobile workforces and cloud services proliferated, IT leaders found themselves with a frustrating lack of visibility and control — and potentially thousands more attack surfaces to worry about. 

The old “castle and moat” approach to security, which came about back when businesses could count on physical servers wired into company-owned buildings, began to fail. A new framework was needed. 

One of the most important aspects about Zero Trust is that it is so relevant to organizations’ current digital journeys. As enterprises and smaller companies around the world embark on cloud and digital transformation initiatives, Zero Trust provides a blueprint for what security should look like once they’ve done the transforming.

Zero Trust is a welcome and widely accepted way of thinking — but it isn’t a one-stop solution for every modern security problem.

In fact, Zero Trust only works when an organization concurrently adopts strong security protocols — fundamentals that many IT teams are still struggling with.

A popular analogy for Zero Trust involves a house and a key. Imagine that you get a key to the front door. In traditional security, that key means that you can probably access any room you want once your house key has been validated. You can look around freely. You can steal a cookie or two. 

But a Zero Trust framework says, “Oh, no, you don’t.” Suddenly that key won’t get you into all the rooms. It might only work for one of them — or maybe it only works for the entryway. 

And here’s the important part: In this scenario, Zero Trust applies even if you’re the owner of the house.               

Typically, organizations embarking on a Zero Trust initiative follow a few familiar guidelines.

No assumption of safety: Verification is explicit and mandatory no matter the user, every single time. No door key, no room entry — even if someone else has invited you.

Least privileged access: Your access to assets is limited to what you need and nothing more. If you don’t need to be down in the basement, you’re not permitted there.

Just-in-time access: Your access to assets expires promptly once you stop needing them — no more hanging on to admin credentials you received months or years ago and no longer use. Your key worked two weeks ago, but that doesn’t mean it will today.

Cold reality: You can’t always trust employees.
Many mature enterprises have some kind of end-to-end security model, but adherence is often uncertain and complacency is common.

This is a leading reason for Zero Trust: When cybersecurity and its management are entrusted solely to human operators, they can’t necessarily be depended on.

It isn’t just that some employees go rogue and actively misuse or compromise data (though that happens more than you’d think). Even the well-meaning guardians of your business assets can become unwitting accomplices to hackers and other bad actors. For example, according to SANS Institute, insider attacks are almost as problematic as external threats, and accidental publication of confidential information is surprisingly prevalent.

The rise of the mobile workforce, cloud and digital transformation, as-a-service IT, and other new ways of doing business have pushed many organizations toward Zero Trust and highlighted the inadequacy of their legacy security practices.

Traditional virtual private networks (VPNs) are a good example of how new workforces and IT architectures are changing security — and why something like Zero Trust has become so important. 

If you’re like many businesses, you might currently be trading a VPN for cloud computing, often allowing some degree of Bring Your Own Device (BYOD) along the way. As a result, you’re left with many more points of trust-checking to worry about. Each endpoint’s security vulnerability might differ in type and severity. 

Contrast that with a VPN breach. Once a VPN is compromised in a traditional security deployment, the scope can be massive, since the VPN connection is a stand-in for trust with huge amounts of data, applications, etc. Your single point of trust has failed, so no trust can be assumed anywhere. 

You can already see the security challenge we’re left with in a Zero Trust model: Many more points of trust that differ from each other. And while Zero Trust is better suited for modern, distributed workforces on a conceptual level, it doesn’t actually mitigate this increased quantity of vulnerabilities — it just helps us see it.

What’s the solution? A set of security fundamentals that we call cyber hygiene.

For Zero Trust to work, companies need to adopt a systemic security posture that addresses every device, user, and asset, and proactively addresses challenges that human operators are notoriously poor at overseeing.

More than 2/3 of security professionals admit taking a month or more to fix known software vulnerabilities.

Patch management, configuration drift, software deployment — these issues routinely bleed organizations of resources and distract IT leaders from the strategy and innovation they should be focusing on.

They are perennial security risks, but now they can also threaten the Zero Trust initiatives in which management has already invested so much.

Cyber hygiene applies security processes like virus scanning, password updating, patching, and configuration management to minimize device or user downtime due to breaches or attacks from malware of APTs. It encompasses all data and endpoints in the IT environment, proactively managing them using automation rather than slow and fallible human intervention.

The Center for Internet Security (CIS) is the authoritative body responsible for the most complete and useful guidelines for cyber hygiene. Their Cyber Hygiene Controls®, which have seen several iterations, begin with six fundamental principles. These principles are practical and actionable, and they’re relevant to almost any organization’s IT ecosystem — especially one adopting Zero Trust. 

These principles are:

  • Inventory and control of software assets

  • Inventory and control of hardware assets

  • Continuous vulnerability management

  • Controlled use of administrative privileges

  • Secure configuration for hardware and software on mobile devices, laptops, workstations, and servers

  • Maintenance, monitoring, and analysis of audit logs

A much more detailed discussion of CIS Controls and cyber hygiene is available in our eBook, Avert Cyber Attacks with Proactive Endpoint Hardening. Some of these factors are already included in many organizations’ defense-in-depth strategies, though they’re usually shortchanged in favor of other priorities, much to companies’ detriment. (The Equifax breach, after all, was the result of a lagging patch process.) But as any company embraces Zero Trust, they’re going to run into these issues sooner or later.

Imagine the steady stream of cyberattacks that most companies face today. These vary in type and sophistication, but they arrive more or less regularly. And they get more sophisticated each year.

Now imagine that, instead of building the strongest shield possible for when they hit you (a relic of the legacy castle and moat approach), you can avoid most of them so that they don’t impact your organization.

That’s the move proactive cyber hygiene allows you to make.

So many organizations are locked in a mindset of “I have to address the threats that reach us” rather than “Let’s remove the systemic exposure so they never get here” — but when you adopt cyber hygiene and remove your exposure, every part of your security system gets better. Distributed devices and workloads get easier. And Zero Trust becomes more attainable. 

These issues might be nominally included in an organization’s current end-to-end security plans, but they are large workloads that are seldom addressed correctly. Consider the growing device footprints, various operating systems (OS) and device types, etc., that characterize corporate IT environments today. The number of variables and systems can be overwhelming, and most organizations are unable to stay on top of all of them.

This is one reason why 44% of cybersecurity professionals are not confident that their organization can avoid a breach.

As businesses start to adopt Zero Trust, cyber hygiene factors might not be top of mind — but they will probably become pain points downstream.

Automox is the only cloud-native, easy-to-use platform for modern IT operations, with native support for Microsoft® Windows®, macOS®, and Linux® from a single console. It enables continuous connectivity for local, cloud-hosted, and remote endpoint fleets with no need for on-premises infrastructure or tunneling back to the corporate network. 

In other words, Automox can help relieve the pain points inherent in a successful Zero Trust initiative (and cybersecurity more generally). It does this automatically and affordably.

With Automox:

  • Patching and configuration management take place with automation and speed

  • IT has single-pane visibility into every endpoint, software, hardware, and OS in use. 

  • IT environments are free of obsolete architectures and systems.

  • Remediations take place inside of a week, not the still-typical 100+ days.

For organizations under modernization and digital transformation pressures, Automox can be a powerful and resource-saving ally. It can remove an important pain point before the organization gets there, preserving the Zero Trust initiative and creating a sustainable, systemic cyber hygiene and security posture.

Many organizations place Zero Trust a step removed from patch management, configuration management, and other facets of cybersecurity. Within Zero Trust ideology however, these are tightly coupled, and the initiative can only succeed if good cyber security hygienics are practiced. 

Cloud-native, software as a service (SaaS) endpoint security and management is a natural part of Zero Trust — or any modern IT ecosystem. In recent years, Automox has watched the progression toward Zero Trust with excitement — but also with wariness since some organizations are setting their Zero Trust initiatives up for failure by not devoting the necessary resources to security fundamentals. 

Ready to get started? See how Automox makes IT operations radically efficient.
Request a demo today.

Dive deeper into this topic