San Jose It’s hundreds of yellow lines chasing back and forth on the spinning globe. Each represents a cyber attack that is currently being detected. The animation is intended to scare entrepreneurs or heads of authorities: “We are in a constant race with attackers who are becoming better and better equipped,” says Jay Chaudhry, founder and boss of Zscaler, during a presentation at the company’s headquarters in San Jose, California.
Chaudry uses it to advertise itself. With Zscaler, the native Indian has built a billion-dollar company that calls for a radical departure from previous approaches to cyber security: Zero Trust is the name of the concept. “Trust nothing and nobody,” Chaudhry summarizes the approach to the Handelsblatt.
There’s a lot at stake: if burglars get into the internal network, they often have far-reaching access. Even the inattention of an employee in the home office can lead to attackers being able to hijack the entire company network. Protection from the outside is no longer sufficient today.
Zero Trust reverses the approach. A network is not defended from the outside. Any access must instead be verified, is deemed potentially hostile by the IT system.
Top jobs of the day
Find the best jobs now and
be notified by email.
Business is good for Zscaler, even if competition from providers like Crowdstrike or Cyberark is fierce. Zero Trust sells well. The US government, for example, wants to convert most government systems to it by 2024. The global zero trust security market will grow from $27.4 billion this year to $60.7 billion in 2027, according to market researcher Markets and Markets.
Zero Trust promises companies significantly more protection against cyber attacks. They are increasing dramatically, as German companies are also feeling: Every second company was the target of cyber attacks in 2020 and 2021, as IT consultants MHP found out in cooperation with the Baden-Württemberg State Criminal Police Office. In every third case of damage, the loss was in the millions of euros. Tendency: strongly increasing.
Cyber attacks are lucrative for criminals
Cybercrime is one of the safest and most lucrative crimes, most attacks cannot be traced or punished. For many companies, there is simply no way around Zero Trust, says Jeetu Patel, CEO of network giant Cisco. “If companies don’t implement the concept, the risk only increases every day.”
But it’s not that easy. Zero trust is a hard break with previous concepts and poses challenges for companies, authorities and employees. IT departments have to rebuild digital infrastructures, employees have to log in more cumbersomely and have to deal with having fewer access rights. And business and government leaders place themselves completely in the hands of providers such as Zscaler, Crowdstrike or Cyberark.
>> Read also: On “big game hunt”: Hackers are now attacking software companies with thousands of customers
“It’s incredibly difficult to completely convert an existing system to Zero Trust,” says a cybersecurity officer at a large US tech company, who declined to give his name publicly. Zero trust is introduced in his company – but the providers are never completely trusted. “We always have several backup copies of all important data,” says the IT expert.
The home office and the cloud are causing difficulties for quite a few companies, they can no longer adequately protect their internal networks. What was still possible with a few locations is increasingly reaching its limits with many employees working from home and the integration of external cloud services.
With zero trust, for example, it is no longer enough for a user to just log in with a password and then get started. “Passwords are the ultimate tool for would-be attackers trying to break into an organization with weak security,” said Sunil Ravi, chief security architect at Versa Networks.
Constant control, fluctuating access rights
Bank customers in Germany know the procedure: you have to identify yourself several times. In addition to a password, for example, the release can take place on an app on the service smartphone. Or it can be a separate access code sent via SMS. Access is only possible in combination. A stolen password is no longer enough to hijack a company network.
The distrust does not stop with the registration. An algorithm continuously calculates the danger posed by a user in real time. Data points such as the location or the security of the device play a role here.
The user is granted the lowest possible access rights. They should only be able to access the information and services they need for their current work. In individual cases, this can lead to the smallest restrictions: For example, users are not allowed to change any drive assignments in the network, or the copy/paste function cannot be used.
Employees who verify themselves can work carefree from anywhere – whether at home, in the home office or on the go. “The time when almost all employees worked in a well-protected office is over. And she won’t come back,” Zscaler boss Chaudhry said with conviction.
USA made zero trust mandatory – Germany wants to follow suit
The federal government also wants to make its systems more secure with a focus on “zero trust”. The state must position itself in such a way that “we are gradually moving towards a zero-trust architecture,” said Andreas Könen, head of the cyber and IT security department in the Ministry of the Interior, at a recent industry conference. However, the government did not present a precise timetable.
The US is further. The powerful White House Office of Administration and Treasury has directed all agencies to transition their systems to zero-trust approaches by 2024.
The agency warned of targeted cyber attacks against government agencies: “These campaigns are aimed at the technical infrastructure of the federal government and threaten public safety and privacy, damage the American economy and weaken trust in the government.”
In January, the Defense Information Systems Agency, which operates under the Department of Defense, announced it had awarded consulting firm Booz Allen Hamilton a $6.8 million contract to develop a zero-trust platform.
Moving to Zero Trust requires a lot of trust
All of the leading cybersecurity companies today are promoting Zero Trust solutions. In an analysis, the US investment bank Morgan Stanley describes Zscaler, Palo Alto Networks and Okta from Silicon Valley as well as Crowdstrike from Texas and Cyberark from Israel as particularly experienced providers.
However, the switch to the new security architecture poses considerable challenges for its customers. Digital infrastructures must be completely overhauled. Crowdstrike product chief Amol Kulkarni acknowledged, “Enterprises have recognized the importance of zero trust, but are struggling to implement it broadly in heterogeneous environments.”
In other words, the transition is incredibly difficult – and tricky. In the new cybersecurity world, providers want to act as a central interface. You want to evaluate which access is allowed and which is not. To do this, companies must grant zero trust providers extensive access to their networks. That’s not easy.
This is especially the case when it comes to important data. A special ability of a number of cyber security providers is to screen encrypted data transfers for cyber threats. This increases security, but requires a lot of trust. “We only check what the companies hire us to do,” says Zscaler boss Chaudhry. A company can simply exempt sensitive communication from the controls.
His chief technology officer, Amit Sinha, tries to allay customer concerns with comparisons like this one: “We’re like airport security checks. We check who can identify themselves and we also look in their luggage to see if anyone has dangerous objects with them.”
Fear of a second Solarwinds hack
However, this does not eliminate a core problem. Because Zscaler and the other providers themselves can become the target of cyber attacks. Those who have access to Zscaler can potentially also gain access to customer systems. Supply chain attacks are what experts call these attacks.
The scenario is not purely theoretical, but has already overtaken a number of authorities and companies. A particularly drastic case was the attack on Solarwinds in 2020. A number of large corporations and authorities used the services of the US security service provider to monitor the data connections in their networks. Hackers used Solarwinds’ special role to gain access to thousands of computer systems via a manipulated update.
The attack is now considered one of the most sophisticated hacks in history. The attackers are said to have even penetrated the US nuclear weapons agency. American secret services suspect the Russian hacker group “Cozy Bear” to be behind the attack and fear that the Kremlin-affiliated hackers had access to the most sensitive data of ministries and companies for months. Up to 18,000 Solarwinds customers are said to have been affected.
The shift to Zero Trust could further increase the role of suppliers in government and corporate cybersecurity. However, that is exactly what makes them particularly lucrative targets.
Chaudhry emphasizes that Zscaler is doing everything it can to protect itself and its customers against cyber attacks. “In addition, we do not store any of our customers’ data,” says the Zscaler boss. But he also conceded, “I’ve been in the cybersecurity industry for about three decades, and I know there’s no such thing as 100% security.”
More: The invisible war: Global hacker gangs are threatening Germany – affected companies are unpacking.