Why zero trust strategies fail

A shot of a woman sat at her desk in a dimly lit office, with her eyes closed and a stressed expression on her face, her hands raised to massage her temples. In the foreground, blue code is rising to either side of the frame to indicate complexity in the task that her unseen screen is showing
(Image credit: Getty Images)

Zero trust strategies are one in which nothing and nobody can use an organization’s digital resources without being verified. This isn’t just about verification upon entry into the system, but also when individuals are moving around within the system.

Such a strict regime is required because a cyber criminal or an automated agent might breach a system and move about freely within it if, once inside, there were no verification checks. Zero trust has, therefore, become a gold standard for cyber security in today’s enterprise landscape. 

Implementing zero trust requires a root and branch examination of the entire technology estate. The organization needs to identify its vulnerabilities, both technological and human, and figure out how to best plug the holes. This should be done in the context of minimal disruption to everyday workload, and an understanding that zero trust is not a one-time fix but an evolving idea. 

Implementing such a regime, however, isn’t without its potential pitfalls and pain points. It’s a time-consuming and complex process that requires input from many roles across the organization, as well as external expertise. 

1. Failing to look beyond the corporate network

When hybrid working is the norm, people will be using all manner of locations to work including their homes and public networks. Everything is part of the attack surface and the organization should trust nothing. Every endpoint is a potential vulnerability. 

This also, by the way, includes devices that might sit outside the network such as printers, security cameras, and other Internet of Things (IoT) devices.

A thorough audit of devices will be required before work begins, with a strategy in place to protect each device and to ensure that each device is updated as regularly as needed. 

2. Implementing zero trust too quickly

Implementing a Zero Trust approach might require significant changes to technologies and also to how people go about their daily business. Go too fast and it’s easy for mistakes to happen. Single devices or applications might slip through the net of compliance assurance at the time of implementation or later. Security hygiene – ensuring that all hardware and software is up to date and patched – is a central aspect of zero trust.

Ensuring every piece of hardware and software is known and its security can be optimized at all times takes time. It is important to allocate enough time to managing everything from the outset, and to develop processes for ensuring existing and new acquisitions are accommodated going forward. 

3. Ignoring the principles of least privileged access

RELATED RESOURCE

Whitepaper cover with image of multi generation colleagues smiling together at table

(Image credit: Okta)

Businesses at work

Discussing the most popular apps and top performing apps of 2022, and the rise of Zero Trust security

DOWNLOAD FOR FREE

Least privileged access refers to the policy of ensuring users only have the bare minimum permission level to do what they need to do. It’s designed to keep access to resources tightly controlled and prevent the kind of sprawling access through systems that can be most helpful to bad actors. 

However, it can be difficult to implement, particularly in the case of multi-cloud environments in which data and apps are hosted with different providers, each with different policies and security protocols. In the end, budget, available time, and sheer workload can mean in-house teams assign wider privileges than necessary.

Using a class of software called entitlement management, or cloud infrastructure entitlement management, access to a multitude of software, systems, devices, and cloud platforms can be managed centrally. 

4. Failing to focus on users

An organization’s employees are not the only stakeholders it’ll have to work with. There may also be contractors, suppliers, purchasers, delivery partners, and others. Presenting users with new protocols, hoops to jump through, and processes – without understanding whether these are seen as barriers – can cause resentment and foster non-compliance strategies. Users who work around security protocols are users who create risk. 

High-quality user education on how to achieve compliance with security protocols is only part of the solution. People must also understand why certain behaviors are required, and be comfortable with any required actions or approaches. Creating a ‘culture of security’ across the organization takes time, effort, and leadership – from chief officers, senior managers, and line managers. 

5. Assuming zero trust is bought into by default

Every organization is different. Its technology setup will be unique. How people use technology will vary too. Where its people work will vary too, including in-office, remote or hybrid, one city, with national offices, or multinational. The variables are many and complex. While certain principles and approaches apply to zero trust, their implementation in any one organization will be unique. Simply going to a vendor and expecting them to do everything without any input is a fallacy.  

Organizations need to commit their own staff resource to work alongside vendors and understand that the implementation of zero trust will take time. This is and will continue to be an ongoing process.

With cyber attacks showing no signs of slowing down, and with organizations of all sizes and in all markets potentially vulnerable, securing data and networks is paramount. It’s no longer adequate to take a piecemeal approach to this challenge. A zero trust approach can help an organization implement a risk-based strategy toward data security. It isn’t without pitfalls, and organizations should be alive to these, and willing to commit the time and energy required to work them through. 

Sandra Vogel
Freelance journalist

Sandra Vogel is a freelance journalist with decades of experience in long-form and explainer content, research papers, case studies, white papers, blogs, books, and hardware reviews. She has contributed to ZDNet, national newspapers and many of the best known technology web sites.

At ITPro, Sandra has contributed articles on artificial intelligence (AI), measures that can be taken to cope with inflation, the telecoms industry, risk management, and C-suite strategies. In the past, Sandra also contributed handset reviews for ITPro and has written for the brand for more than 13 years in total.