Zero trust revolution: Why legacy network security fails

In 2005, long before my time at Capital One, I was a Marine corporal in Iraq. I supported network communications for my squadron, and because of my role, I had to bunker down when attacks occurred. Not fight, just be on high alert and ready to fight if necessary.

When a mortar round or rocket crossed the perimeter and hit the base, I felt it. Often, I felt like a sitting duck. Yet, despite what was happening around me, I had to be ready to support comms for my unit. I had to ensure it was available and secured—or zeroized if all else failed. In those days, though, I only worried about the outside threat—the physical one pounding on my door.

We’ve come a long way since the early days of Operation Iraqi Freedom. Do those types of threats still exist in the world? You bet they do. However, we now have sophisticated cyber threats to deal with too. We have ransomware, DDoS attacks, social engineering, phishing attacks, deepfakes and the list goes on for a solid mile. Depending on the attack, these can come from the outside or the inside.

There are numerous reasons why these threats exist, but many stem from rapid advancements in technology and a growing internet presence. DataReportal.com indicates that 5.35 billion people were using the internet in 2024. This is great for many industries but scary when considering the blast radius of one infiltrated app that millions of people could use.

Recent data breaches, like the MOVEit data breach in 2023, show how alarmingly simple and wide-scaling an attack can become if executed from the right angle in today’s world. In this attack, hackers obtained access to the MOVEit file transfer software. Then, they leveraged a vulnerability to retrieve sensitive data from tens of millions of people across a multitude of companies. That data was further utilized to collect ransom money from execs at big companies. The impact of this breach is still being felt today.

I’m a network security engineer, but I’ll say it: Traditional network security struggles against modern threats. Conventional models rely heavily on a solid perimeter but allow for ease of movement for inside personnel. This is often due to cost or to improve performance.

Despite these struggles, the number of attacks and the number of directions they can come from are staggering. It’s not enough to build an “outside” firewall, a DMZ and an “internal” firewall your users sit behind. Today, we obviously need a more adaptive and resilient security model.

I’m sure you’ve heard of it by now, but zero trust network security (ZTNS) is a different way of thinking. Instead of assuming trust within the network, ZTNS is founded on this principle: “Never trust, always verify.” Every access request, whether it originates from inside or outside the network, is subject to strict verification.

In ZTNS, trust is never implicit. Each user and device must continually prove their legitimacy through stringent checks. This is akin to the rigorous identification checks at a military checkpoint—no one gets through without proper clearance. Want in? Badge, business and clearance level, please!

1. Identity-Based Access Controls: Only authenticated and authorized users can access resources.
2. Microsegmentation: Slicing the network into smaller segments to contain potential breaches, much like setting up multiple secure zones within a base.
3. Continuous Monitoring: Constant vigilance over network activity to detect and respond to threats in real time.
4. Least Privilege Access: Users have the minimal access required, limiting potential damage if an account is compromised.

• Enhanced Security Posture: With zero trust, each access attempt faces scrutiny, making it harder for attackers to roam once inside.
• Protection Against Insider Threats: Zero trust limits even trusted insiders’ actions. Essentially, you have to be verified to do things.
• Improved Visibility and Control: Zero trust allows organizations to monitor network traffic closely, which helps detect anomalies.

Zero trust is not something you magically implement overnight. It demands a thorough review of your current infrastructure. It demands vulnerabilities be identified. Furthermore, it requires a network audit to pinpoint where current security mechanisms fall short.

• Identity Management: Use strict identity and access management protocols.
• Network Segmentation: Create secure zones within the network to contain potential threats.
• Encryption: You need this for your sensitive data—in transit and at rest.
• Multifactor Authentication (MFA): Require multiple forms of verification for critical resources.
• Continuous Monitoring: Use advanced monitoring tools to identify and respond to unusual activities in real time.

Secure access service edge (SASE) combines networking and security to support zero trust principles. It uses five key capabilities:

• Software-defined wide area network (SD-WAN)
• Secure web gateway (SWG)
• Cloud access security broker (CASB)
• Firewall as a service (FWaaS)
• Zero trust network access (ZTNA)

There are many providers and solutions for these capabilities. Still, if we hone in on ZTNA, you may recognize common solutions like GlobalProtect by Palo Alto Networks, Zscaler Private Access (ZPA) and Cisco Secure Client (formerly AnyConnect). Do any of those sound familiar?

In his book “Zero Trust Security Demystified,” L.D. Knowings points out several organizations that have successfully embraced zero trust. He mentions big companies like Accenture, Cloudflare and Akamai, a well-known CDN with a dynamic environment. Even Cisco is mentioned, which should be familiar to many folks in the network space. They use their own SASE architecture, in fact.

Companies that have adopted zero trust report better threat detection and faster incident response times, as every access request undergoes verification. Many of their cloud infrastructures are secured, their attack surface is reduced, and there is limited ability for malware or bad actors to move laterally on the inside. Not to mention, their data is protected, and they can respond faster to new threats.

Zero trust can be tricky to implement, not to mention resource-intensive—costs, complexity and user experience all play a role in that. To overcome these types of challenges, organizations should:

• Plan Thoroughly: Hash out a comprehensive plan that involves all necessary stakeholders, business requirements, target state and so on.
• Invest Wisely: Draft an RFP for solutions that meet your requirements and target state. Invest in the tools and technology that best meet your organization’s needs.
• Educate Users: Ensure that everyone—senior leaders, internal engineers, app developers and definitely your end users—understands your new tech and protocols.

Balancing security with user experience is vital for successful adoption. There are many vendors that offer SASE solutions, some all-in-one and some only pieces of the bigger zero trust puzzle. Over time, there will be more, but here are some well-known ones: Palo Alto Networks, Fortinet, Netskope and Cisco.

As cyber threats evolve, zero trust will remain crucial in cybersecurity. Dynamic cloud environments, like the one we have at Capital One, make this especially important. However, with tech like AI and machine learning, we’ll be able to enhance zero trust by enabling better threat detection and response. With these, we can sift through data faster, find suspicious patterns or anomalies and be more proactive in our security stance.

Let’s not forget about the role of IoT either. Tim Cook, the CEO of Apple, said: “The Internet of Things is creating a new world where everything is connected and can be controlled remotely.” This is exciting, yet scary when you consider how fast things can hop on the internet with minimal security provisions. Of course, zero trust can help secure IoT devices by requiring each device to be authenticated and monitored, minimizing the risk of IoT-based attacks.

If I learned anything from my beloved time in the Marines, it would stem from this mantra: “Improvise, adapt and overcome.” That “adapt” part is crucial for today’s digital environment. By moving beyond outdated models and embracing zero trust, organizations can adapt and ensure more robust defenses against cyber adversaries.

In the evolving landscape of cybersecurity, zero trust is the new standard, and it’s the path that companies in the modern world must begin to take. This is the path toward resilient, perhaps even antifragile, networks. Adapting and staying vigilant are essential, as complacency is not an option.

Zero trust. Over and out.