Securing Digital Infrastructures

Zero Trust Security vs. Zero Touch Security 

How Zero Touch can supplement Zero Trust in strengthening the security of digital infrastructure deployments 

Nandita Bery
Samantha Goyagoy
Zero Trust Security vs. Zero Touch Security 

For the past years, if you were to whip a cybersecurity bingo card out in conferences, you would undoubtedly mark “blockchain,” “defense in depth,” “security by design,” and recently, “zero trust” aka ZT. Zero trust has been getting all the buzz lately for shifting defenses from traditional, network-based perimeters to focus on users, assets, and behaviors. Zero trust, as the name implies, assumes there is no implicit trust granted to users or devices. 

Zero trust employs a more granular perimeter control based on identity (i.e., users), devices, geolocation, and historical usage patterns to identify whether something is to be trusted to be in the enterprise. Several ways can be put into practice to do this, from micro-segmentation and analytics to identity and access management (IAM) and multifactor authentication (MFA). 

Zero trust security is a well-established concept in the security industry by now, but what’s also gradually gaining attention is zero touch security. The latter can supplement zero trust and other security efforts by automating areas that benefit from a hands-off process, like accessing sensitive data. 

But are these just product marketing hype, or do they have promise? 

Equinix 2022 Global Tech Trends Survey

Understand the impact of supply chain issues and other key threats driving a need for more virtualization, with companies planning significant investments accordingly.

Download the eBook
2022 GTTS Blog CTA Alt (4)

Defining zero trust: Never trust, always verify 

Since Forrester coined the term, zero trust has taken flight from a mere vision to an inescapable cybersecurity approach. According to Forrester, “Zero Trust is an information security model that denies access to applications and data by default. Threat prevention is achieved by only granting access to networks and workloads utilizing policy informed by continuous, contextual, risk-based verification across users and their associated devices.” [1] The architecture goes beyond approved IP addresses, ports, and protocols for validation, as was once the case with traditionally defined perimeters. Even if traffic is already inside, it is treated with zero trust.

As a result, there is stronger security that travels with the workload, even as perimeters shift, whether in the cloud, container, hybrid environment, or on-premise.

There is a caveat, though. Research firm Gartner® predicts that 60% of organizations will adopt zero-trust security by 2025 more than half, however, will fail to realize the benefits.[2] Embracing zero trust, while “extremely powerful,” would require a cultural shift and clear communication that tie to business outcomes to be successful. After all, it’s not something like installing new security products. Like any other digital transformation, it will take a strong collaboration of partners, customers, and the industry to connect security across the ecosystem. 

Defining zero touch: Security through automation 

To err is human, to exploit, is threat actors’ game. When you factor people into the cybersecurity equation, the 2022 Data Breach Investigations Report (DBIR) finds that 82% of breaches result from errors in human-centric events.[3] This finding lines up with companies looking to key security strategies that mitigate such risk.

This is where zero touch security comes in. It refers to the process wherein devices are automatically set up and configured/provisioned by an authorized user (think: admin) to automate repetitive tasks, minimize human interaction points, and reduce errors. 

Sure, we humans may be equipped with certain skills that can’t be replicated by security automation, or the “machine.” At least not yet. But the machine does help in addressing issues like security skills shortage and operational inefficiencies in organizations which ultimately contribute to the security posture. Automating systems can allow incident response to identify security risks that need to be prioritized without having to check everything. Alert fatigue, anyone?

Security challenges addressed by zero trust and zero touch security 

As digital infrastructures continue to evolve, access points are increasing. The security models recognize that as long as there’s inherent trust or human intervention, there is the potential for security issues. Data exposure or exploitation can occur either purposely (e.g., via an internal bad actor that causes harm to the company or an external threat actor that compromises employee credentials) or accidentally (e.g., via someone misconfiguring a setting or clicking on a phishing email).

That’s why the industry is taking notice of how a zero-trust security approach would complement technological advances and how digital businesses accelerate. Adopting a risk-based, identity-centric approach provides the needed security foundation. As security teams face the constant barrage of cyber threats, security automation is shaping up to be an answer to efficiently handling common phishing, insider risks, and other alerts.

Both zero trust and zero touch are promising as security models, and together could work well in implementing stringent measures. Well-defined models should steer a more streamlined infrastructure, better user experience, and improved security defenses, thus enabling secure digital transformation. 

Zero trust and zero touch in practice 

In the Equinix 2022 Global Tech Trends Survey results, we learned that companies across the globe are prioritizing “future-proofing” their businesses to improve cybersecurity and comply with data protection regulations.  

How much of a priority is each of the following for your organization’s technology strategy? 

And to some, this may mean implementing zero trust and zero touch security as part of their strategy. 

With zero trust, you’ll have all the contextual information on how users handle applications, when they access them, and where they interact with devices at any given moment. The continuous authentication that’s happening in the background will appropriately respond to the “transactions” the user is making. Expected, low-risk transactions can be done without direct user interaction, while higher-risk tasks may need additional vetting or controls. Continuous authentication done by zero trust enables a zero-touch experience for the user. 

The implementations, however, aren’t created equal. The thing is, these approaches are only as secure as the “security blocks” on which they are built. A zero-trust security posture, to begin with, may still be a ways away from being completely achieved, but major technology companies like Amazon Web Services, Cisco Systems, IBM, Microsoft, and Zscaler have started adopting zero trust into their architectures as part of the efforts to improve supply chain security and overall security standards.[4]

Cloud security company Zscaler’s scalable implementation with Equinix provides seamless, zero-trust access to private applications running on a public cloud or within a data center facility. This replaces or augments the use of VPN to work with internet access and provide greater security resilience.  

As the world’s digital infrastructure company, Equinix weaves zero trust into its fabric to ensure the security of our infrastructures and services for customers. Designed with reliability and security, Platform Equinix embeds security in all stages of development to deliver robust interconnection to hybrid clouds. Equinix Fabric connects digital infrastructure and services on demand and gives operations full control of their data and security perimeters. 

Keep an eye out for our next discussion on digital infrastructure security in this series. In the meantime, you can read our previous post on the top cyberthreats to digital infrastructures to tide you over. 

 

[1] Forrester, “The Definition Of Modern Zero Trust.” January 2022. 

[2] Gartner, “Gartner Unveils the Top Eight Cybersecurity Predictions for 2022-23.” June 2022.  

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. 

[3] Verizon, “DBIR: Data Breach Investigations Report 2022.” May 2022. 

[4] Information Security Media Group, “18 Companies to Participate in NIST ‘Zero Trust’ Project.” July 2021. 

60%

Of organizations will adopt zero-trust security by 2025, more than half, however, will fail to realize the benefits.

Nandita Bery
Nandita Bery Director of Awareness and Education, Infosec Team
Samantha Goyagoy
Samantha Goyagoy Content & Development Manager, Infosec Team