Dr Silvia Knittl is one of the Cyber & Privacy Directors at PwC Germany and leads the Enterprise Security Architects team. She supports clients in activating their cyber capabilities and manages security transformation projects. At this year’s Internet Security Days (ISD), she will be presenting on the Zero Trust approach.
What are the potential risks and challenges when companies or organisations abandon the Zero Trust approach and revert to a more traditional security model?
Organisations reverting to the traditional security model would lead to an increased risk of cyber attacks: The Zero Trust approach is based on the idea that no network, device or user is automatically considered trustworthy. If this approach is abandoned, it increases the risk that attackers can more easily penetrate the corporate network and steal sensitive data.
In addition, access controls would be weaker, as Zero Trust places a strong emphasis on strict access control based on identity and context. Contextual information used to make access decisions includes device status, the type of transaction being attempted, or the intended access location. A traditional approach could lead to looser access controls, making it easier for attackers to gain unauthorised access to systems or data.
There is also a risk of inadequate detection of insider threats. Zero Trust also explicitly considers the possibility of insider threats, where authorised users may have malicious intent. Traditional approaches could make it more difficult to detect such threats and slow down the response time to such incidents.
How would the elimination of Zero Trust affect compliance and privacy requirements? Are there specific regulations or standards that would be facilitated by retaining the Zero Trust model?
Zero Trust emphasises the need for strong controls, for example as part of comprehensive identity management. This ensures that only authorised people or applications have access to sensitive or personal data. Moving away from this model could make it more difficult to comply with data protection regulations.
In addition, the elimination of Zero Trust could lead to looser security measures, potentially making it easier for attackers to steal trade secrets or intellectual property. This can lead to compliance breaches, as well as financial and competitive damage.
Adhering to the Zero Trust model can help facilitate compliance with certain regulations and standards, such as the General Data Protection Regulation (GDPR), by emphasising strict access controls, privacy and security in the Zero Trust model. In the US, the National Institute of Standards and Technology (NIST) has developed a cybersecurity framework that includes best practices for improving cybersecurity. Among other things, the framework promotes the implementation of Zero Trust security practices to improve the protection of resources. In the digital health sector, gematik has adopted the Zero Trust approach as a modern approach in the context of updating the Telematics Infrastructure (TI) specifications.
What is the role of increasing digitalisation and the shift of resources to the cloud in the importance of the Zero Trust approach? Are traditional security models good enough to keep up with current developments and attack techniques, or is Zero Trust the better choice?
Increasing digitalisation and the shift of resources to the cloud have increased the importance of the Zero Trust approach. Traditional security models in the past often focused on protecting an organisation’s own network by building an internal perimeter defence and trusting the users, devices or applications within that network. However, this approach has been challenged by the development of new technologies and the changing threat landscape.
The Zero Trust approach is therefore particularly relevant in today’s digital world. Especially with the increasing shift of resources to the cloud and the introduction of mobile and IoT devices, traditional network perimeters are becoming blurred. A Zero Trust model can ensure that only authorised individuals have access to certain resources, regardless of where they are located.
The modern workplace increasingly demands flexible working models where employees can work from different locations and devices. A traditional security model that relies heavily on a physical perimeter may not be able to keep up with this dynamic, while Zero Trust is better able to adapt to such changes.
As the threat landscape continues to evolve, attackers are looking for new vulnerabilities and using increasingly sophisticated attack techniques. Zero Trust, which is based on a “trust is good, control is better” mindset, may therefore be better able to adapt to these changing threats and minimise potential vulnerabilities.
While traditional security models can provide certain safeguards, it is becoming increasingly difficult to keep up with rapidly evolving threats and attack techniques. Zero Trust provides a proactive and granular security strategy based on principles such as continuous monitoring, strict access control and low privilege. In today’s digital age, where outsourced services, distributed networks and geographically dispersed workforces are the norm, Zero Trust can be an effective choice to address security needs and protect sensitive data.
Thank you very much for this interview, Dr Knittl!
Book your tickets for the ISDs here: https://international.eco.de/events/internet-security-days-2023/