Why Zero Trust Security is Flawed Without Anti-Phishing Protection

Traditional security solutions are designed to detect and protect you from known danger. “Zero Trust” is about doing the opposite — created by John Kindervag, zero trust is a strategy, or a mindset, where you assume everything is dangerous unless verified as safe.

It’s an approach to securing access across your networks, applications, and environment. Here are just a handful of companies that provide zero trust strategies — Fortinet, Blackberry, Zscaler, Palo Alto Networks, Microsoft, Cisco, Akami, IBM, Citrix, Crowdstrike, Centrify, Check Point, VMware.

The problem

Sadly, every Zero Trust strategy as documented by all the top security companies, is flawed because none of them include zero trust for web access/URLs — instead they use a filter to block known threats. Some companies provide a “virtual browser” — but that solutions is also designed to detect and block known threats — instead of assuming every URL is dangerous unless verified. Unless every URL is assumed to be dangerous, you can’t have a zero trust strategy.

Why zero trust for web access is important

Phishing accounts for 90% of all cyberattacks, and dangerous URLs outnumber malicious email attachments 5 to 1. That’s it. There’s your answer. What’s the point in having zero trust for everything except for web access if that’s the #1 threat vector for almost all cyberattacks?!

Until zero trust security includes zero trust for web access, the entire strategy is flawed. Hackers don’t break in, they log in.

This is why we built MetaCert — the first company to verify web addresses on mass scale — thereby providing the last piece of the zero trust puzzle. So you can assume I’m a little biased. But I’d love to be proven wrong with evidence of a zero trust strategy that incorporates zero trust for URLs.