Other technologies can reduce the risk, says Ozin. “Someone might have all the privileges but are they suddenly on the internet at 3 am? You can put behavioral analytics next to the zero trust to catch that. We use that as part of our EDR [endpoint detection and response] and as part of our Okta login. We also have a data loss prevention program–are they doing 60 pages of printing when they don’t usually print anything?”
Insider threats are a major residual risk after zero trust controls have been implemented, says Gartner’s Watts. In addition, trusted insiders can be tricked into leaking data or allowing attackers into systems by social engineering. “Insider threats and account takeover attacks are the two risks that remain in a perfect zero trust world,” he says.
Then there’s business email compromise, where people with access to company money are fooled into sending the funds to the bad guys. “A business email compromise could be a deep fake that calls a member of the organization and asks them to wire money to another account,” says Watts. “And none of that actually touches any of your zero trust controls.” To deal with this, companies should limit user access so that if they are compromised the damage is minimized. “With a privileged account, this is difficult,” he says. User and entity behavior analytics can help detect insider threats and account takeover attacks. The key is to deploy the technology intelligently, so that false positives don’t stop someone from completely doing their job.
For example, anomalous activity could trigger adaptive control, like changing access to read-only, or blocking access to the most sensitive applications. Companies need to ensure that they don’t give too much access to too many users. “It’s not just a technology problem. You have to have the people and processes to support it,” Watts says.
According to the Cybersecurity Insiders survey, 47% say that overprivileged employee access is a top challenge when it comes to deploying zero trust. In addition, 10% of companies say that all users have more access than they need, 79% say that some or a few users do, and only 9% say that no users have too much access. A Dimensional Research study, conducted on behalf of BeyondTrust, found that 63% of companies reported having identity issues in the last 18 months that were directly related to privileged users or credentials.
4. Third-party services
CloudFactory is an AI data company with 600 employees and 8,000 on-demand “cloud workers.” The company has fully adopted zero trust, the company’s head of security operations Shayne Green tells CSO. “We have to, because of the sheer number of users we support.”
Remote workers sign in with Google authentication through which the company can apply its security policies, but there’s a gap, Green says. Some critical third-party service providers don’t support single sign-on or security assertion markup language integration. As a result, workers can log in from an unapproved device using their username and password, he says. “Then there’s nothing to stop them from stepping outside our visibility.” Technology vendors are aware that this is a problem, according to Green, but they’re lagging and they need to step up.
CloudFactory isn’t the only company to have a problem with this, but vendor security issues go beyond what authentication mechanisms a vendor uses. For example, many companies expose their systems to third parties via APIs. It can be easy to overlook APIs when figuring out the scope of a zero-trust deployment.
You can take zero trust principles and apply them to APIs, says Watts. That can lead to a better security posture–but only to a certain extent. “You can only control the interface you expose and make available to the third party. If the third party doesn’t have good controls, that’s something you typically don’t have control over.” When a third party creates an app that allows their users access to their data the authentication on the client could be an issue. “If it’s not very strong, someone could steal the session token,” says Watts.
Companies can audit their third-party providers, but the audits are typically a one-time check or are performed on an ad-hoc basis. Another option is to deploy analytics which can give the ability to detect when something being done is not approved. It gives the ability to detect anomalous events. A flaw in an API that is exploited might show up as one such anomalous event, Watts says.
5. New technologies and applications
According to a Beyond Identity survey of over 500 cybersecurity professionals in the US this year, handling new applications was the third biggest challenge to implementing zero trust, cited by 48% of respondents. Adding new applications isn’t the only change that companies might want to make to their systems. Some companies are constantly trying to improve their processes and improve the flow of communication, says John Carey, managing director of the technology solutions group at AArete, a global consulting firm. “This is at odds with the concept of data trust, which puts barriers in front of data moving around freely.”
That means that if zero trust is not implemented or architected correctly, there might be a hit to productivity, Carey says. One area this can happen is AI projects. Companies have an increasing number of options for creating customized, fine-tuned AI models specific for their businesses, including, most recently, generative AI.
The more information the AI has, the more useful it is. “With AI, you want it to have access to everything. That’s the purpose of AI, but if it is breached, you have a problem. And if it starts disclosing things you don’t want, it is a problem,” Martin Fix, technology director at technology consultant Star, tells CSO.
There’s a new attack vector, Fix says, called “prompt hacking,” where malicious users try to trick the AI into telling them more than they should by cleverly wording the questions they ask. One solution, he says, is to avoid training general-purpose AIs on sensitive information. Instead, this data could be kept separate, with an access control system in place that checks if the user asking the question is allowed access to this data. “The results might not be as good as with an uncontrolled AI. It requires more resources and more management.”
The underlying issue here is that zero trust changes how companies work. “Vendors say it’s easy. Just put in some edge security where your people come in. No, it’s not easy. And the complexity of zero trust is just beginning to come out,” zero trust leader for the US at KPMG Deepak Mathur tells CSO. That’s one big flaw that zero trust never talks about, he says. There are process changes that have to happen when companies implement zero trust technologies. Instead, too often, it’s just taken for granted that people will fix processes.