The IT Nerd

According to a new Forrester report, the commercial availability of quantum computers that can compromise traditional asymmetric cryptography is still five to 10 years away, but warns security and risk (S&R) professionals must assess and prepare for the impact of quantum security now.

Stefan Leichenauer, VP of Engineering at SandboxAQ, commented:

“The Forrester report is exactly right about the threat of quantum computers: in as little as five years we could see a quantum computer crack traditional cryptography, and because of “hack now, decrypt later” attacks, the vulnerability exists today.

“Even if we have doubts about whether a quantum computer will arrive in that timeframe—maybe you think it’s only a 10% chance—a modest probability of a trillion-dollar-loss event is still a big problem.

“We’ve seen a number of recent announcements from the quantum computing industry showing that the roadmap is advancing, so our confidence that quantum computers are coming has only gone up. Every organization needs to evaluate their cryptographic posture, which begins with a careful inventory of their use of encryption and then a crypto-agile migration to post-quantum key exchanges. It’s a multi-year process, so the time to start is now.”

This should make those who defend against attack take a more urgent approach to defending themselves. I say that because threat actors can pwn you now and try to make you pay later. Thus the play has to be is to avoid the pwn now part so that the pay later part is a non-issue.

Over two-thirds of European organizations have begun developing a zero-trust strategy, up from just 25% in 2020, and a further 15% were planning to adopt zero trust tech according to Forrester. The analyst house, which first coined the term over a decade ago, said leading countries adopting zero trust include Germany – 79%, UK – 68%, and France – 66%.

In its new report, Forrester also claimed that public sector organizations are taking a lead with 82% believing their enterprise architecture is invested in and supports zero trust in their organization, compared to 72% of non-governmental organizations. 

All of those adopting zero trust solutions have suffered at least one breach in the past 12 months that impacted key business processes or incurred cyber insurance penalties, the report stated.

Baber Amin, COO of Veridium had this comment:

In the rush to get to zero trust, organizations should not be looking for a quick fix or silver bullet or assume that one product or set of products will to get them zero trust.  Too often, they fail to understand or don’t want to acknowledge that zero trust is a strategy, it is an information security model.  Products can and do help achieve zero trust, but they need to be applied correctly.  The most expensive lock is not secure if the door itself is not properly reinforced. 

Forrester research says, “Zero Trust is an information security model that denies access to applications and data by default.”

Common mistakes when implementing zero trust include:

• Confusing zero trust strategy with product offerings promising to achieve the desired result. 
• Zero trust is a philosophy and a journey.  Why? Because zero trust is “Trust nothing, Verify everything, ” requiring  constant vigilance and improvement.
• Failure to define proper access control policy based on the concept of least privileged access
• Failing to monitor access creep, and orphan access. 
• Focusing only on network access and network traffic routing 
• Failing to implement basic levels of multi factor authentication
• Not implementing a proper layered security approach that includes basic security hygiene e.g. end point patching, password reuse.
• Failure to classify and segment data, especially unstructured data
• Lack of visibility around shadow IT
• Lack of visibility between IT and OT.  Where there is a gap, it will be exploited.
• Making your user experience too cumbersome, and adoption an uphill battle

The most important thing security leaders can do is go back to 1^st principals. These include:

• Follow the Least privilege access model
• Implement a defense in depth model
• Identify what it means to fail securely (Fail open vs fail close)
• Minimize the attack surface area
• Avoid security by obscurity and adopt an open design philosophy
• Implement a SoD (separation of duty) model
• Implement the most robust MFA approach your users will adopt

Zero trust is a good idea that organizations should be looking at. If they take the time to properly plan and implement this strategy, it will pay dividends in terms of better securing the environment. Thus this should be required reading for anyone thinking of a zero trust strategy.