“People told me I was crazy,” Kindervag said of initial reaction to his 2010 research. But earlier this year, the National Security Agency called on administrators of systems involving critical infrastructure and national security to embrace zero trust.
Previously, computer security networks often relied on the “castle and moat” model, meaning that money is spent on perimeter security but users who have logged into the system are assumed to be safe. With zero trust, users within a system must keep authenticating their credentials as they move through the network.
The push for zero trust has stepped up lately after the suspected Russian hack involving cybersecurity firm Solarwinds and the China-linked cyberattack exploiting a flaw in Microsoft’s Exchange email software. Cybersecurity experts have said that zero trust might have mitigated the fallout from the attacks and helped the government track the hackers.
U.S. Chief Information Security Officer Christopher DeRusha said in a recent hearing that zero trust “prevents adversaries from the kind of privilege escalation that was demonstrated in the SolarWinds incident.”
Breaches with national security implications aren’t the only concern. A recent UK government survey found that some 40% of businesses underwent a cyberattack in the past year. Of those, more than 80% experienced phishing attacks.
According to another recent study, by research firm Canalys, 31 billion data records were compromised over the last 12 months. That accounts for more than half of the 55 billion data records exposed since 2005.
Canalys chief analyst Matthew Ball said in a statement, “Prioritize cybersecurity and invest in broadening protection, detection and response measures or face disaster.”