Setting a New Cybersecurity Standard: The Rising Importance of True Zero Trust

Not long ago, it came to light that a well-known threat actor was reportedly selling access to a large cybersecurity company. Fortunately, it appears that no customer data was compromised, but the incident nonetheless sent ripples through the cybersecurity world. Even more significantly, it brought to the fore a critical issue that too often goes ignored – the inherent risks (and potential for serious damage) that arise when security vendors hold and store sensitive customer data. 

When Security Vendors Do Not Practice Zero-Trust Security   

Zero trust is a security framework founded on the idea that no user or device should ever be trusted inherently. The basic mantra of zero trust is “never trust, always verify.” Yet even as zero trust security has gained widespread acceptance in the security community and beyond, security vendors still regularly require their own customers to trust them.

On the one hand, it may seem understandable that security vendors consider themselves more secure and therefore more trustworthy than third-party vendors in other industries. But if zero trust truly means zero trust, then there is good reason to scrutinize the standard practice of vendors requiring customers to hand over encryption keys, credentials, and other sensitive assets in exchange for security and access management tools.   

The fact of the matter is that security vendors should know better than anyone that every organization has vulnerabilities. When security vendors break the zero-trust model by holding and storing sensitive customer data, that data is left at risk of exposure if the vendor is breached or otherwise attacked.  

This is not to imply that security vendors have malicious intentions; they most likely just overestimate their own capabilities or else do not see themselves as part of the zero-trust ecosystem. Still, the primary goal of cybersecurity is to minimize the attack surface for threat actors — and requiring that customers relinquish access to their sensitive data and assets explicitly contradicts this goal. 

A New Cybersecurity Standard for a New Era of Zero Trust 

For years, the cybersecurity industry has advocated for the zero-trust approach—except when it comes to security vendors themselves. This paradox persists despite numerous high-profile security incidents and data breaches involving security companies (in which their customers are often left exposed). Now is the time to adopt a new standard that includes security vendors in the zero-trust framework.  

For Almog Apirion, our CEO and co-founder at Cyolo, true zero trust has always been a guiding principle. In his past role as a CISO, he became increasingly frustrated that every secure access solution presented to him required vendor trust. Eventually, he set out to create Cyolo.  

“When building Cyolo and our secure remote access solution, we refused to accept that we, as the vendor, must require the inherent trust of our customers. Instead, we designed a unique trustless architecture that purposely never stores any customer data," Apirion explains.

Embracing Trustless Architecture

Cyolo's approach to zero trust sets a new benchmark for cybersecurity. The Cyolo solution’s architecture ensures that all secrets, data, and encryption keys remain within the customer’s trusted boundaries, eliminating the risk of exposure even if Cyolo were to be breached. And because Cyolo has no access to customer data in any environment—whether in testing, quality assurance, production, on-premises, in data centers, or in the cloud—our customers can rest assured that their secrets are safe even if Cyolo is targeted in a cyberattack. 

 “The fight against cybercriminals will never be an equal one, and for this reason, we ‘good guys’ cannot be creating extra risk. Why not make cybercriminals’ lives a little harder by practicing what we preach when it comes to zero trust?” says Apirion.   

Moving Toward a Zero-Trust Future  

The path forward in cybersecurity must include a rigorous commitment to zero trust, including from security vendors. It’s time for us as an industry to reevaluate the norms around data decryption and commit to developing solutions that do not require vendor trust. By doing so, we can better safeguard our customers against threats and move collectively towards a safer and more secure digital future. 
 
It’s time for a new standard in remote access security.