Zero-trust strategies leave networks open to lateral threats
Zero trust assumes a network is already compromised. However, new EMA research shows enterprises are more concerned with securing remote access than internal lateral threats.
Many companies disregard a core tenet of zero-trust security: Assume the network is already compromised.
Research from Enterprise Management Associates (EMA) saw hints of this neglected zero-trust pillar. For its November 2024 report on how zero trust supports network teams with cybersecurity, EMA surveyed 270 enterprise zero-trust decision-makers and experts. Respondents identified the most influential factors in their approaches to zero trust.
Responses showed many zero-trust initiatives emphasize securing remote network access over reducing lateral movement. More than 63% of respondents said they focused on using zero trust to eliminate unauthorized remote access. Over 60% said they considered the effects of performance and UX in their decision to implement zero trust. In contrast, only 43% said they use zero trust to eliminate lateral movement on the network.
The core priorities of zero trust
In its special publication on zero-trust architecture, NIST advised three important zero-trust initiatives to prevent attacks from unauthorized users:
Authentication.
Authorization.
Shrinking implicit trust zones.
The seven pillars of a zero-trust framework
Zero trust should rigorously authenticate and authorize network connection requests to prevent unauthorized access. It should also eliminate lateral movement by shrinking trust zones, while minimizing adverse effects on network experience.
These priorities align well with NIST's recommendations. NIST's recommendation to minimize trust zones assumes networks are already compromised. A zero-trust architecture that neglects the principle of limiting lateral movement ultimately fails to reduce security risks. For example, perimeter-based security proves increasingly ineffective due to the following reasons:
Enterprises now commonly integrate public resources, such as cloud services and the internet, into enterprise networks, which extends the network beyond its traditional boundaries.
Malicious actors have more opportunities to breach perimeters with social engineering and zero-day exploits.
EMA's data suggested that, when IT and security teams' only concern is user authentication and access authorization, they don't examine events within their network perimeters. The 43% of respondents who prioritize eliminating unauthorized remote access reported less overall success with their zero-trust efforts. They failed to upgrade their network segmentation schemes to shrink zones of trust and reduce opportunities for lateral movement.
Zero-trust authorities often emphasize it as an architectural concept rather than a product companies can buy and install. But vendors sell products, not architectures.
The ZTNA marketing problem
The disconnect between how zero trust should work and how most companies use it happens primarily due to a marketing issue. Zero-trust authorities often emphasize it as an architectural concept rather than a product companies can buy and install. But vendors sell products, not architectures.
Many vendors that sell zero-trust network access (ZTNA) products purport their services will bring zero-trust security to an enterprise by replacing legacy secure remote access technologies, such as VPNs. VPNs still remain common, but many enterprises are transitioning to ZTNA as adoption grows.
The marketing of these products suggests ZTNA aligns with zero-trust principles, but this isn't the case. Organizations must still work to reduce trust zones inside their networks, as ZTNA products rarely affect internal trust zones. Zero trust is a journey, not a product engagement.
Implement zero-trust segmentation
Organizations can implement zero-trust segmentation within network perimeters in various ways. One way involves using network security appliances to serve as east-west gateways. These gateways have granular policies that limit lateral communication between network segments. However, this approach is often difficult to manage.
Another option is to look to an emerging class of vendors that offer hypervisor-based overlays in data centers and clouds, as well as host-based segmentation agents on servers or client devices to impose microsegmentation. Although this approach has a central controller, it can be challenging to operate given the dynamic nature of networks.
How zero-trust microsegmentation works
According to 38% of EMA respondents, the high volume of changes and exceptions in their zero-trust segmentation schemes significantly strains their resources. Also, 26% reported they find it too complex to design and implement zero-trust segmentation. The issue of lateral movement isn't one of neglect -- enterprises truly find it difficult to implement zero-trust segmentation.
Still, this only scratches the surface of zero-trust principles. Authentication, authorization and reduced trust zones aren't the only factors to consider. Zero trust must also include identity service modernization and the continuous monitoring and analysis of network activity and user behavior.
The zero-trust industry must address these challenges to ensure enterprises minimize lateral movement. Moreover, tempering zero-trust marketing ensures enterprises can address all zero-trust principles rather than implementing half-measures.
Shamus McGillicuddy is vice president of research for the network management practice at Enterprise Management Associates (EMA). He has more than 20 years of experience in the IT industry and has written extensively about the network infrastructure market. Prior to joining EMA, McGillicuddy was the news director for TechTarget's networking site.
