Zero trust strategies are one in which nothing and nobody can use an organization’s digital resources without being verified. This isn’t just about verification upon entry into the system, but also when individuals are moving around within the system.
Such a strict regime is required because a cyber criminal or an automated agent might breach a system and move about freely within it if, once inside, there were no verification checks. Zero trust has, therefore, become a gold standard for cyber security in today’s enterprise landscape.
More on zero trust
Implementing zero trust requires a root and branch examination of the entire technology estate. The organization needs to identify its vulnerabilities, both technological and human, and figure out how to best plug the holes. This should be done in the context of minimal disruption to everyday workload, and an understanding that zero trust is not a one-time fix but an evolving idea.
Implementing such a regime, however, isn’t without its potential pitfalls and pain points. It’s a time-consuming and complex process that requires input from many roles across the organization, as well as external expertise.
1. Failing to look beyond the corporate network
When hybrid working is the norm, people will be using all manner of locations to work including their homes and public networks. Everything is part of the attack surface and the organization should trust nothing. Every endpoint is a potential vulnerability.
This also, by the way, includes devices that might sit outside the network such as printers, security cameras, and other Internet of Things (IoT) devices.
A thorough audit of devices will be required before work begins, with a strategy in place to protect each device and to ensure that each device is updated as regularly as needed.
2. Implementing zero trust too quickly
Implementing a Zero Trust approach might require significant changes to technologies and also to how people go about their daily business. Go too fast and it’s easy for mistakes to happen. Single devices or applications might slip through the net of compliance assurance at the time of implementation or later. Security hygiene – ensuring that all hardware and software is up to date and patched – is a central aspect of zero trust.
Ensuring every piece of hardware and software is known and its security can be optimized at all times takes time. It is important to allocate enough time to managing everything from the outset, and to develop processes for ensuring existing and new acquisitions are accommodated going forward.
3. Ignoring the principles of least privileged access
RELATED RESOURCE
Businesses at work
Discussing the most popular apps and top performing apps of 2022, and the rise of Zero Trust security
Least privileged access refers to the policy of ensuring users only have the bare minimum permission level to do what they need to do. It’s designed to keep access to resources tightly controlled and prevent the kind of sprawling access through systems that can be most helpful to bad actors.
However, it can be difficult to implement, particularly in the case of multi-cloud environments in which data and apps are hosted with different providers, each with different policies and security protocols. In the end, budget, available time, and sheer workload can mean in-house teams assign wider privileges than necessary.
Using a class of software called entitlement management, or cloud infrastructure entitlement management, access to a multitude of software, systems, devices, and cloud platforms can be managed centrally.
4. Failing to focus on users
An organization’s employees are not the only stakeholders it’ll have to work with. There may also be contractors, suppliers, purchasers, delivery partners, and others. Presenting users with new protocols, hoops to jump through, and processes – without understanding whether these are seen as barriers – can cause resentment and foster non-compliance strategies. Users who work around security protocols are users who create risk.
High-quality user education on how to achieve compliance with security protocols is only part of the solution. People must also understand why certain behaviors are required, and be comfortable with any required actions or approaches. Creating a ‘culture of security’ across the organization takes time, effort, and leadership – from chief officers, senior managers, and line managers.
5. Assuming zero trust is bought into by default
Every organization is different. Its technology setup will be unique. How people use technology will vary too. Where its people work will vary too, including in-office, remote or hybrid, one city, with national offices, or multinational. The variables are many and complex. While certain principles and approaches apply to zero trust, their implementation in any one organization will be unique. Simply going to a vendor and expecting them to do everything without any input is a fallacy.
Organizations need to commit their own staff resource to work alongside vendors and understand that the implementation of zero trust will take time. This is and will continue to be an ongoing process.
With cyber attacks showing no signs of slowing down, and with organizations of all sizes and in all markets potentially vulnerable, securing data and networks is paramount. It’s no longer adequate to take a piecemeal approach to this challenge. A zero trust approach can help an organization implement a risk-based strategy toward data security. It isn’t without pitfalls, and organizations should be alive to these, and willing to commit the time and energy required to work them through.
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Zero trust gains momentum amid growing network visibility challengesNews Organizations are looking to automation, orchestration, and risk mitigation as key security priorities
-
Billions of IoT devices will need to be secured in the next four years – zero trust could be the key to success
News Researchers have warned more than 28 billion IoT devices will need to be secured by 2028 as attacks on connected devices surge.
-
Vulnerability management complexity is leaving enterprises at serious riskNews Fragmented data and siloed processes mean remediation is taking too long
-
"Thinly spread": Questions raised over UK government’s latest cyber funding schemeThe funding will go towards bolstering cyber skills, though some industry experts have questioned the size of the price tag
-
Cognizant and Zscaler expand partnership to launch new AI-powered zero trust security toolsNews The pair’s expanded partnership aims to help customers simplify their security setups while tackling evolving cyber threats
-
Modern enterprise cybersecuritywhitepaper Cultivating resilience with reduced detection and response times
-
IDC InfoBrief: How CIOs can achieve the promised benefits of sustainabilitywhitepaper CIOs are facing two conflicting strategic imperatives
-
The evolution of SASE and its importance in zero trustSupported Content SASE has been an increasingly important security framework for five years – but integrating zero trust is crucial to its success
