• Home
  • Blog
  • Did Zero Trust Kill Defense in Depth or Has Defense in Depth Improved Zero Trust?
Did Zero Trust Kill Defense in Depth or Has Defense in Depth Improved Zero Trust?

Did Zero Trust Kill Defense in Depth or Has Defense in Depth Improved Zero Trust?

Dec 27, 2022 / Kron

Zero Trust (ZT) continues to make waves, as US federal agencies are now publishing guidance, such as the OMB’s M-22-09 or DoD’s ZT strategy for effective implementations. While still jammed in myths, which could only be sorted out with some effort, it enables the goverment to be considered a source of trust in cybersecurity.

At this point, I would like to address a confusion, which is whether ZT has replaced Defense in Depth (DiD) and other acknowledged cybersecurity principles or not. If ZT has not replaced these principles, how do they relate to ZT? What about the others, such as the principle of least privilege or segregation of duties? Well, ZT has not replaced these principles at all. Now let's try to understand how they continue their relation with ZT as security specialists ensure their reliability while using these principles in an effective and efficient manner.

 

Zero Trust is Based on Settled Security Principles...

Like in any house construction, everything starts with a safe and sound foundation to prevent certain things to collapse or fall on your neighbor's property. This foundation involves common industry practices for ZT. We can highlight three basic principles that are ranked high important for ZT, yet are mostly misaligned.

  1. Least Privilege
  2. Segregation of Duties
  3. Defense in Depth – DiD

As you apply these principles, you will see that you and your organization are on the right path when it is time to assess your ZT maturity.

... Yet, You Should Use These Accurately in Order to Successfully Implement Zero Trust.

Do you realize how convenient life has become? We have manuals and guides for almost anything to show us how to do things. These will guide you in understanding how to do something accurately. Unfortunately, you tend to skip the guide and just proceed to assemble the bike for your vacation or use the wrong tool to tighten a screw. It may not be a big issue to assemble the bike incorrectly, yet faults in cybersecurity may cause highlyh costly and largeg-scaled issues when it comes to the implementation of security principles. Focusing on these three highlights will help you to comprehend the following:

  1. The principle of least privilege may be rather impractical when used alone.

    We all know that agencies intend to improve their security position by using this principle and ensure that work force has the kind of access that will be just enough to perform their duties. While these may all be great, it may be troublesome if the task is too big. When someone's role covers too many things, your security team will need to extra time to create a large number of permissions for a single role. With so many duties, it is highly probable that the relevant person might make an inadeguate decision that will have an adverse effect on the security of your enterprise.

  2. Segregation of duties helps implement the principle of least privilege, yet it does not consider prevention of access.

    Fortunately, segregation of duties supports the implementation of the principle of least privilege. According to this principle, an individual should not have broad access. For instance, this means that the sales representative of an agency cannot change the price of a product or a solution; instead, the price change is done by an approving authority such as the director. While these two primarily focus on permissions, they do not handle prevention of access. This is where Defense in Depth plays an importnat part.

  3. Defense in Depth (DiD) settles the issue.

     With DiD, organizations focus on controls preventing unauthorized access to systems. These are administrative, technical and physical controls. It's unfortunate that DiD has fallen victim to misuse, leading to "expense in depth", causing issues to be resolved by spending more on technologies and security control hoping prevent security threats in their aftermath without trying to prevent them. Zero trust has brought DiD concepts back on the agenda, this time with a strategic focus to help security specialists to better perform in the following areas:
    • Blending different audits by making use of the technological advancements that unite individual security functions on a single platform to reduce complexity of distribution.
    • Reducing cost of management by centralizing security tool management through reduction of the number and types of audits with overlapping abilities.
    • Preventing unauthorized access by taking advantage of strategic access control that could logically and physically be applied closest to high value assets, reducing potential internal threats while discouraging the potential threateners' intention for unauthorized access.

 

Time to Think in Depth

Zero Trust has come a long way as an information security model. While often becoming a matter of debate and doubt. But there is one thing that is certain: If we focus on what ZT has been built on, we can see that it provides a common target for most (if not all) of these basic principles to be effective when implemented.

Reference: Forrester

Highlights

Enhancing Cybersecurity with AI-Powered Privileged Access Management

Enhancing Cybersecurity with AI-Powered Privileged Access Management

Mar 20, 2024
Reducing Cyber Insurance Costs with Kron PAM: A Smart Move for Businesses

Reducing Cyber Insurance Costs with Kron PAM: A Smart Move for Businesses

Apr 18, 2024
Unlocking Efficiency: The Strategic Advantages of SaaS PAM in Business

Unlocking Efficiency: The Strategic Advantages of SaaS PAM in Business

May 06, 2024
UK’s Telecommunications Security Act (TSA) Code of Practice

UK’s Telecommunications Security Act (TSA) Code of Practice

May 09, 2024
Exploring PAM Deployment Options and Choosing Between SaaS and On-Premise Solutions

Exploring PAM Deployment Options and Choosing Between SaaS and On-Premise Solutions

May 16, 2024
Elevating Privileged Access Management with Kron PAM and Microsoft Entra ID Integration

Elevating Privileged Access Management with Kron PAM and Microsoft Entra ID Integration

May 23, 2024
Enhancing Security with Kron PAM's Multitenancy: A Game-Changer for Large Organizations

Enhancing Security with Kron PAM's Multitenancy: A Game-Changer for Large Organizations

Jun 10, 2024
Safeguarding Your Business from Misuse of AI with Kron PAM

Safeguarding Your Business from Misuse of AI with Kron PAM

Jun 24, 2024

Other Blogs

Blog
What is User Behavior Analytics?

What is User Behavior Analytics?

Jan 03, 2023 Read More

Blog
Favorite Target of Ransomware Attacks: ICS Networks

Favorite Target of Ransomware Attacks: ICS Networks

Jul 18, 2021 Read More

Blog
Meet the Krontech Team at GISEC, Gulf Information Security Expo & Conference in Dubai, 1-3 May, Dubai World Trade Centre

Meet the Krontech Team at GISEC, Gulf Information Security Expo & Conference in Dubai, 1-3 May, Dubai World Trade Centre

Apr 17, 2018 Read More

Blog
New Cyber Security Regulations Are On The Way

New Cyber Security Regulations Are On The Way

Sep 11, 2022 Read More

Blog
Network Performance Metrics: 5 Essential Network Metrics to Monitor

Global Risks Report and Cybersecurity Overview

Jan 30, 2022 Read More

Blog
In a Multi-Cloud World, It’s Time to Rethink Who Has Access To What

In a Multi-Cloud World, It’s Time to Rethink Who Has Access To What

Mar 28, 2019 Read More

Contact Us

Contact us to learn more about Kron Technologies' telecom and cybersecurity products.