Black Hat 25: Zero trust as a philosophy, not a service

Courtesy of CFE Media and Technology

Black Hat just held their 25th event in Las Vegas featuring briefings and training sessions for information technology (IT) professionals worldwide. One of the all-day conferences that was occurring was the Omdia Analyst Summit. This is a conference discussing cybersecurity from a high level with different data points provided by Omdia. During the summit, Omdia Senior Principal Analyst Rik Turner spoke on zero trust and its place in the current cybersecurity landscape.

What is zero trust?

Introduced by John Kindervag in 2010, zero trust was established as a service that some cybersecurity companies provide. In the most simple sense, it is verifying that a software is trustworthy. However, Turner describes zero trust as being a “philosophical stance on how to deliver security.”

Before zero trust came to be, companies, businesses and individuals would trust others and their technologies in tandem with verifying the legitimacy of that technology. Now that zero trust exists, the new slogan is “never trust, always verify and continuously monitor.”

Zero trust applications

Zero trust can be broken down into three areas of privilege as follows:

  • Privileged users – These users only need what they will use, following the principle of least privilege.
  • Cloud assets – Within cloud, this involves micro-segmentation. Workloads are preordained with what programs, software and data it can communicate with.
  • Remote access – This is meant to replace VPNs with zero-trust access (ZTA). Traditional VPNs do very little to protect a user/company. With a ZTA, only certain end users can be verified to get in and out of protected information.

According to Turner, zero trust is “institutionalized paranoia,” particularly from the most privileged users.

The Cybersecurity and Infrastructure Security Agency (CISA) established a zero-trust maturity model to keep businesses trying to sell zero-trust-as-a-service in check. It is encouraging to see the U.S. government taking zero trust seriously and holding zero-trust vendors accountable, according to Turner.

What zero trust means in the industrial space

With zero trust, critical infrastructures and businesses need to always question the legitimacy of a service or software and monitor its use to ensure that it is doing its job. This could look like watching what happens when a new firewall is implemented in the days, weeks and months after its addition.

Turner said zero-trust-as-a-service is unnecessary and a cash grab. If proper cyber practices and cleanliness are already integrated into a company’s cybersecurity model, then they are already practicing zero trust in a philosophical sense.

Why the C-suite doesn’t like it

At the end of his presentation, Turner talked about how the C-suite level of a company may not want a zero-trust philosophy/service put in place because they don’t want unknowns to be known — by the public OR themselves. He say this is because they don’t want to know about problems that are present because it will cost them, in revenue and downtime.




Keep your finger on the pulse of top industry news