The zero-trust model is gaining popularity across both public and private sectors. Before jumping in, here are three potential roadblocks to consider.
Play nice: Overcoming the implementation challenges of ‘zero trust.’
Zero trust is more than just a buzzword these days. The White House’s executive order1 to improve the nation’s security requires federal agencies to adopt a zero-trust architecture. The National Institute of Standards and Technology (NIST) is developing a framework2around a zero-trust model for cloud-native applications. The Cybersecurity & Infrastructure Security Agency (CISA) even offers a zero-trust roadmap.3
The concept of “never trust, always verify” has become a strategic element in addressing cyber threats. According to the 2023 Verizon Data Breach Incident Report,4 not only is the pace of threat exploitation accelerating, but attacks are moving beyond the traditional network perimeter, with social engineering techniques such as pretexting opening the arena to wherever humans come to graze. In the absence of a discernable boundary, zero-trust models are the skeptical savior, requiring the verification of everything—every identity, every device, and every access point.
It’s clear that moving to a zero-trust approach will offer a more secure infrastructure, but adopting the zero-trust model does come with challenges. Before playing digital bouncer to all the things, consider carefully how you plan to address these concerns.
Thanks in part to remote work, the number of connected devices used by employees has skyrocketed. A Deloitte study5 found that the average U.S. household has 22 connected devices, many of which are used to connect to business networks. The devices owned by business organizations rely on third-party applications—some sanctioned by work and others used in the shadows—and many of those applications connect with their own third parties. Depending on the size of an organization, the security team could be tasked with protecting technology that spans thousands of devices, both known and unknown. To ensure a zero-trust model is followed across this foggy, sprawling landscape, organizations need to deploy strong access controls, especially for sensitive data and across network architecture. This includes the mandatory use of multi-factor authentication (MFA), biometrics, and identity management solutions.
To implement the concept of trust nothing and verify everything, users will be greeted by more access authentication points than usual—layers of digital gates they did not have to deal with previously. For example, whereas there once was a time when a user could download an application needed for their role with no issues, perhaps now the download will require admin credentials and thus, an IT ticket. Introduced the wrong way, locking down access can frustrate employees who work with different systems, slowing down productivity as employees look for ways to work around the checkpoints—or even give up on a task altogether. Rather than make wholesale changes to all authentication methods all at once, introduce them gradually, starting with the areas that require the highest levels of protection. Ensure the organization understands why zero trust is being introduced, focusing on its benefits and the consequences if not properly followed. A more willing audience is likely to adapt to the changes more easily and even become advocates to less convinced peers.
Almost all organizations still use legacy systems for a variety of reasons—sometimes, it’s the best system available for certain corporate computing needs; other times, it’s too costly to replace. Most legacy systems were built with a well-defined perimeter, so in a way, they were already designed for modern zero trust, because they were the original zero trust. You may be tempted to ignore zero trust in these areas, but you risk leaving the organization open to security gaps between that system and others. It’s helpful to take a good look at the technology you use: Is it truly irreplaceable, or can you endure some growing pains and transition to something better? There may be ways to re-engineer legacy systems, so they are either siloed or securely connected with zero-trust tools.
Zero trust is a process. Most implementation challenges can be overcome with a methodical approach to adoption, thoughtful consideration of your users, and a thorough inventory of the technology within your network. There are no more excuses—so get started.
1The White House, “Executive Order on Improving the Nation’s Cybersecurity,” May 12, 2021.
2National Institute of Standards and Technology, “A Zero Trust Architecture Model for Access Control in Cloud-Native Applications in Multi-Location Environments: NIST SP 800-207A Available for Comment,” April 18, 2023.
3Cybersecurity & Infrastructure Security Agency, “Zero Trust Maturity Model,” April 11, 2023.
4Verizon, “2023 Data Breach Investigations Report,” n.d.
5Deloitte, “2022 Connectivity and Mobile Trends Survey (third edition),” August 3, 2022.
Helping to identify the intersection of people, process, tools and budget for optimal risk control.