New technologies and applications pose a significant challenge when it comes to implementing zero trust strategies, according to a recent survey conducted by Beyond Identity. The survey, which included over 500 cybersecurity professionals in the US, found that 48% of respondents cited handling new applications as the third biggest challenge in implementing zero trust.
Implementing zero trust involves rethinking the traditional security model of assuming trust within a network and implementing strict access controls and authentication measures. This approach requires companies to closely manage and monitor user access to protect against insider threats and account takeover attacks. However, the introduction of new technologies and applications can complicate these efforts.
John Carey, managing director of the technology solutions group at AArete, a global consulting firm, explains that companies are constantly striving to improve their processes and the flow of communication. However, these efforts can be at odds with the concept of zero trust, which places barriers in front of data moving freely. As a result, if zero trust is not implemented or architected correctly, it can negatively impact productivity.
One area where these challenges are particularly apparent is in the field of artificial intelligence (AI). AI projects often require access to vast amounts of data to be effective. However, this raises concerns about the security of sensitive information and the potential for breaches. Martin Fix, technology director at technology consultant Star, highlights a new attack vector called “prompt hacking,” where malicious users attempt to trick AI systems into revealing more information than they should by manipulating their questions.
To mitigate these risks, companies need to carefully control access to sensitive data and implement robust access control systems. For example, sensitive data could be kept separate from AI models and accessed only by authorized users. While this approach may limit the AI’s capabilities compared to uncontrolled models, it provides an additional layer of security and protection.
However, implementing these changes is not as straightforward as some vendors may suggest. Deepak Mathur, zero trust leader for the US at KPMG, emphasizes that zero trust requires significant process changes within organizations. Simply implementing edge security measures is not enough. Organizations need to carefully evaluate their workflows, policies, and procedures to ensure they align with the principles of zero trust.
In addition to tackling the challenges posed by new technologies and applications, organizations also need to address other potential weaknesses in their zero trust implementations. The survey conducted by Cybersecurity Insiders revealed that 47% of respondents identified overprivileged employee access as a top challenge. Similarly, trusted insiders can still be susceptible to social engineering attacks or tricked into leaking sensitive data, creating insider threats.
To address these risks, companies should consider deploying behavior analytics and user entity behavior analytics (UEBA) tools. These technologies can help detect anomalous behavior and identify potential insider threats or account takeover attacks. However, it is crucial to configure these tools intelligently to minimize false positives and ensure they do not impede employees from performing their job responsibilities.
Ultimately, implementing zero trust requires a holistic approach that considers the challenges posed by new technologies and applications, as well as addressing employee access privileges and potential insider threats. Organizations must also emphasize the importance of process changes to align with the principles of zero trust. By doing so, they can create a more secure and resilient environment that protects against evolving cyber threats.