In today’s digital landscape, cyberattacks are becoming more sophisticated and complex, making it increasingly difficult for organizations to defend against them. Traditional security approaches that rely on defending the perimeter are no longer enough to protect sensitive data and critical systems. This is where the zero-trust security model comes in.
Zero trust, which emphasizes the principle of “never trust, always verify,” has a number of advantages. It can:
- significantly improve an organization’s security posture by reducing the risk of data breaches caused by insider threats, phishing attacks, or other sophisticated cyber threats
- enhance network visibility
- streamline access controls
- enable organizations to respond quickly to security incidents and prevent them from escalating
- allow employees to access the resources they need without unnecessary security barriers through use of identity and access management tools
Despite what some overzealous salespeople may try to get us to believe, zero trust is not a product that can be bought, a service that can be installed, or a server to put in a rack. Yes, you’ll probably need to buy some products or services to help you deploy the rich identity and access management (IAM) required by a zero trust architecture, but you should be leery of any vendor that tries to sell you zero trust “in a box.” Remember, it is a security framework that requires continuous adaptation and improvement to stay effective.
As such, we should think of zero trust not as a destination, but as a journey. Zero trust is a new way to think about the data, users, and devices on our network. It is a perpetual process of vigilance and distrust towards all elements within our IT environment. At times, the zero-trust journey may seem like a trip down endless and meandering roads. Think of our analysis today as a GPS to make your travel smoother.
Which companies are the most important vendors in cybersecurity? Click here to see the Acceleration Economy Top 10 Cybersecurity Shortlist, as selected by our expert team of practitioner-analysts.
How the Journey Starts
A good way to start your journey is with five key measures as outlined in the National Institute of Standards and Technology (NIST) Special Publication 800-207:
- Develop a zero-trust architecture: This involves creating a blueprint of the organization’s information technology (IT) infrastructure and identifying all assets, network connections, and users.
- Identify and classify assets: Building on step 1, organizations identify and categorize all digital assets based on their sensitivity level. This step allows for better control over access to critical data.
- Create access policies: Access policies define who can access what resources based on the user’s identity, device, and location. This step is crucial as we shift from the perimeter defense model to a system that can make access determinations on the fly.
- Monitor activity and implement analytics: Organizations must continually monitor their network for suspicious activity to detect and respond to threats in real-time. They must also use analytics to identify anomalies and predict potential threats.
- Respond to incidents: The ability to respond quickly and efficiently to security incidents is critical in mitigating the impact of an attack. Organizations must have an incident response plan and regularly test it to ensure effectiveness.
NIST is widely known and trusted for developing cybersecurity guidelines and best practices, but it is not the only game in town. Each of the following frameworks offer a unique perspective on implementing a zero-trust security model and can be tailored to meet an organization’s specific needs:
- Forrester Zero Trust: This framework is based on Forrester’s Zero Trust eXtended (ZTX) model and includes seven pillars: network security, data security, workload security, device security, people security, visibility and analytics, and, finally, automation and orchestration.
- Google’s BeyondCorp: Google’s zero-trust framework is based on its own internal security model, BeyondCorp, which emphasizes user identity and device management as the primary components of its security architecture.
- Microsoft Zero Trust: Microsoft’s zero-trust model is based on the idea of a “never trust, always verify” security approach that focuses on strong identity authentication and strict access control.
- The Cloud Security Alliance (CSA): The CSA provides a framework for implementing zero trust in cloud environments, which includes defining access policies based on user identity, device trustworthiness, and data sensitivity.
Government agencies will probably lean towards NIST while organizations with a mature cloud-based environment may choose CSA. If your organization use Microsoft technology extensively, you may lean towards its framework, but if you are steeped in Google Cloud Platform (GCP), you may follow that model. You can even draw on individual elements from the various frameworks and create a hybrid. Ultimately, the key to successfully implementing zero trust is choosing a framework that aligns with your organization’s security goals and provides a clear path to achieving them.
Obstacles in the Zero Trust Journey
No journey comes without obstacles. While the gains from implementing zero trust are clear, the journey to achieving it is not without challenges. Resistance to change, comprehensive visibility, and complex integration procedures are just some obstacles you may face in the journey to zero trust. Here are my recommendations on how to respond to each of them:
Obstacle 1: Resistance to Change
Employees who are accustomed to more traditional security models and approaches may push back. They may resist new security policies or access controls that may seem restrictive or time-consuming. People are afraid of becoming irrelevant, and your IAM team may be terrified that zero trust will leave them in the dust. They may react by holding on for dear life to the old way of doing things.
To overcome resistance, organizations must effectively communicate the benefits of zero trust and provide employees with the necessary training to understand the new security framework.
Obstacle 2: Comprehensive Visibility
A zero-trust model requires organizations to have a clear understanding of their entire information technology (IT) infrastructure, including all assets, devices, and users. Achieving comprehensive visibility can be difficult, particularly in large organizations with complex IT environments. Organizations must invest in the necessary tools and technologies to gain visibility into their entire network and continually monitor for suspicious activity.
To overcome this roadblock, organizations may need to invest in security orchestration and automation tools that can integrate multiple security products and tools into a unified security platform. These tools can help provide comprehensive visibility into the network, enabling security teams to quickly detect and respond to threats.
Obstacle 3: Integration Challenges
Many organizations have a variety of security tools and platforms in place, and integrating them into a cohesive zero-trust model can be complicated. Organizations may need to invest in new tools or technologies to bridge gaps in their security framework and ensure that all systems are integrated and working together effectively.
Sectors including healthcare and finance often rely on legacy applications. To integrate legacy applications and systems into a zero-trust architecture, you may need to implement additional security controls to mitigate any vulnerabilities or risks. This could involve deploying network segmentation technologies, implementing more granular access control policies, or using virtualization technologies to isolate legacy systems from the rest of the network.
Overcoming these challenges requires a deep understanding of the organization’s security landscape, a commitment to continuous improvement, and a willingness to invest in the necessary technologies and personnel. By successfully navigating these roadblocks, organizations can find themselves in the fast lane to successfully implementing zero trust.
Closing Thoughts
With zero trust, you will significantly improve your security, but you will never be able to plant your flag atop zero trust mountain and celebrate victory. A successful zero-trust deployment requires a comprehensive understanding of the organization’s security landscape, an analysis of risks, and a commitment to continuous improvement. While challenges exist, a zero-trust model will remain a critical framework for mitigating cyber risks and protecting critical data and systems as threats evolve.
Want more cybersecurity insights? Subscribe to the Cybersecurity as a Business Enabler channel:
