Today’s world moves fast – trends go viral, hit the mainstream and slink off to the nostalgia circuit in a matter of months.
But, more than ten years after the term was first coined, zero trust just keeps rising. Back in 2019, 78% of cybersecurity teams had either implemented zero trust or were just about to. By 2022, an incredible 94% of C-suite executives surveyed were in the process of implementing some form of zero trust.
Zero trust promises to stop cyber incidents in their tracks
Zero trust’s rise is partly fueled by the swirl of threats that companies face every day, something exacerbated by a shift to hybrid work models and integrated IoT devices. With the number of entry points for attackers multiplying every day, it’s no surprise conventional security models are struggling to keep up.
Zero trust’s operating principle, as the Australian Cyber Security Centre (ACSC) notes, is “no trust without verification”. Rather than only focusing on guarding entry points, zero trust is about distributing security checkpoints inside your organisational systems and networks: all requests are authenticated, authorised and validated through as much context as possible before access to any resource is granted. Through this constant evaluation and the principle of least privilege, zero trust promises that incursions can be immediately triaged and cordoned off from the rest of the network, preventing criminals from escalating a minor incursion into a serious cyber incident.
But implementing zero trust won’t solve all your problems
Zero trust assumes the bad guys may already be inside, and its rise shows that more and more organisations in APAC and beyond are taking today’s threat landscape seriously. But if zero trust really is the answer, why are many organisations underwhelmed by its impact on their security? A recent survey from the Cloud Security Alliance suggests that only 13% of organisations have “fully” benefited from zero trust, while 62% say “some improvement” is needed. More worryingly, a quarter of respondents said their zero trust programs needed either “a lot of improvement”, or had not benefited them at all.
So is zero trust an over-hyped security myth? Not if understood correctly and implemented appropriately in an organisation. There’s no doubt zero trust can be transformative, but it needs to be implemented carefully or risk being highly disruptive, expensive, and/or ineffective at an organisation. Let’s take a look at some common pitfalls organisations experience in zero trust – and how to sidestep them.
You can’t just flick a zero trust switch and go
As I discussed on the Get Cyber Resilient pod, some executives believe you can simply buy technology in a few of zero trust’s key pillars and get quick results. As I mentioned above, many respondents said their Zero Trust program wasn’t particularly beneficial to them and it may be the case of them buying Zero Trust technologies, believing they are the key to a successful program, then implementing them and wondering where the real benefits are outside the narrow scope that technology focused on.
Many security leaders think maybe they’ll just get a good identity system, do some network segmentation, and mission accomplished. And I can't actually blame people for having that misconception – go on your favourite search engine and it feels like Zero Trust is a few clicks (and a suitcase full of cash) away. Although what’s interesting is that the search results that promise Zero Trust in a few clicks are the very companies that can sell you the product that does it. What we all can learn from Zero Trust first and foremost is to apply a “Zero Trust” mindset to anyone’s claims of selling you “Zero Trust” in a single product.
But as any experienced CISO knows, whatever the claims, no cyber platform or approach can guarantee 100% safety. Zero trust isn’t a single technology as much as it’s a strategy: it’s an approach that must be applied consistently across different pillars of your organisation. That takes time – and will evolve with your company, and the threats you face.
Don’t try to do it all at once
Trying to impose zero trust across your whole network at speed will likely result in logjams, mutinous staff and operational paralysis. Very few organisations have the will or resources to immediately pivot to a full zero-trust framework. Instead, the best approach is a transition. Start small (by identifying critical workflows and tightening controls) and scale slowly.
Maturity across core areas such as endpoint and application security, identity and access management (IAM) and data-flow management takes time and effort. New measures should be tested via small-scale user trials and security evaluations, allowing you to build feedback on workflows and security issues, and use it to optimise and scale your framework.
Taking it slow actually means you’re more likely to be able to build true zero trust, by working out exactly how you can adhere to its principles of least privilege, rather than seeking to impose a single template that will inevitably leave gaps.
Lastly, when you’re wondering where to start on your Zero Trust journey – look at the area of your organisation that is weakest. It may be your network is far too permissive, it may be your endpoint security with hybrid work, it may be email, it may be remote access or maybe it’s the way you educate and measure security awareness with your staff. Whatever the largest gaps are (not in Zero Trust, but in security maturity in general) is a great place to start in implementing Zero Trust principles and your associated strategy. It’s two for the price of one – you get to begin your Zero Trust alignment and mitigate some large gaps that you know needed to be remediated anyway.
Don’t assume the rest of your organisation will just “get it”
The biggest three barriers to zero trust, according to one recent survey, are all people related: lack of expertise, lack of buy-in and additional staffing needs. That means good communication is a must, both with your board, to ensure you’ve the right resources and appetite for change, and with employees who will be impacted.
Speaking of those who will be impacted: keep in mind, Zero Trust highly impacts your technical teams. They will be required to support initiatives, learn new standards and generally have security sniffing around in their configuration far more than before. For example, you may have to ask the Network team to rely on less physical firewalls and move towards a more cloud based network security model to properly secure hybrid workforces. This can be considered sacrilege by some network teams if you don’t spend the time to help them understand Zero Trust, the threat landscape and the reasons change is needed.
Many security leaders make the mistake of thinking that technical teams will be the ones to pick up Zero Trust easily, therefore meaning they have to do very little to get buy-in, but I believe it’s the exact opposite. Ensure you spend time with the wider teams that will help the Zero Trust strategy succeed in making sure they have a safe space to learn, ask questions and voice any concerns with the Zero Trust strategy put forth. It can be devastating to a security team’s success on a Zero Trust strategy if mutiny or non-cooperation occurs from other technology teams.
At the executive level, making a case to the board means showing real problems and benefits, using non-technical language where possible. Testing with, and getting feedback from different teams will help you hear their needs and explain yours. Explaining that zero trust doesn’t mean you distrust every worker is a good place to start. Helping your board and staff see the bigger picture – and managing their expectations about the pace of change – will make implementation run far smoother.
Something useful I use when doing a Zero Trust strategy with organisations is that “Zero Trust isn’t actually ‘Zero’ Trust. It’s more of “Contextual Trust, with Minimal Assumptions”. Another thing to remind your board is that as part of a Zero Trust program, you are able to gather more context than ever before on users, data, device and networks. It means we can start saying “No” in the right places, and “Yes” everywhere else. Most security models are the other way around of saying “No” everywhere and “Yes” in the right places, and it can make them seen as a productivity dampener.
If you’re a smaller organisation or have limited resources: Remember it's not “All or Nothing”
Many smaller organisations I work with write off the Zero Trust methodology, and I don’t blame them. Go and research Zero Trust and you’ll find many sites and resources talking about what Zero Trust looks like with a highly advanced implementation where authentication/authorisation is done continuously and 24/7 teams and AI are watching thousands of signals in real time, best of breed technologies are all seamlessly integrated and anything abnormal is automatically dealt with through automation.
While this is a great example of an advanced Zero Trust implementation, smaller organisations should remember that Zero Trust is first and foremost a strategy based on a set of principles. The controls to implement are dictated by an organisation’s budget, resources, capability and risk appetite. I’ve helped organisations of less than 200 employees implement Zero Trust in a way that made sense to them and it was far different to what I’ve helped large financial institutions do. Regardless, both approaches for both types of organisations did align with Zero Trust principles and provided significantly reduced attack surfaces, modernised their security programs whilst providing a great user experience in terms of hybrid work, cloud, SaaS etc. without the significant risks that were once present. One thing that was consistent between both was that cyber security could finally be the business enabler.
Zero trust has plenty of pitfalls: careful implementation is required
Zero trust has great potential, but many pitfalls. You can’t snap your fingers and level up your maturity levels, and you can’t expect everyone at your organisation to immediately get on board with beaming smiles.
But while the same approach to zero trust won’t work for everyone, if you understand the principles behind it, tailor control sets to your organisation and implement them right, it can bring enormous rewards. By tightening up key pillars, focusing on critical areas first and selling it across your organisation, you’ll succeed in aligning your strategy with a framework focused on isolating incursions, limiting lateral movement and stopping attackers turning an open window into a ransacked home. In an age of cloud services and hybrid work, the ability to pin down criminals is priceless.