Zero trust implementation: Plan, then execute, one step at a time
82% of cybersecurity professionals have been working on implementing zero trust last year, and 16% should be on it by the end of this year.
The challenges of zero trust implementation
You’ve probably heard it before: zero trust is not a single product, but a security strategy that follows the principle of “never trust, always verify”. As such, it requires a customized approach, which can be quite complicated and might require additional staff.
Implementing zero trust means an overall change in technology and architecture, and doing it one step at the time. Legacy systems that were not designed to operate within a zero-trust framework might require different security measures or possibly require replacement, resulting in additional expenses.
Due to its high costs, the implementation of zero trust may encounter obstacles set by executive stakeholders.
The evolving nature of organizations can also pose security issues. Employees come and go, and having a strong zero-trust architecture in place means updating access permissions constantly and on time. Failing to do so could be used by former employees to harm an organization.
Among the challenges is also the continuous authentication required by the zero-trust framework, as it can negatively affect productivity and application performance.
The presence of unknown IoT devices within the network pose a significant threat. These could be brought in and out of the organization by employees, partners or visitors, and are much harder to detect and protect with the zero-trust model. Same goes with unmonitored third-party systems, as they are out of an organization’s control.
Finally, the implementation of the zero trust model can cause friction among IT and security teams, fueled by the continuous verification requirements.
“In the traditional security model, security was focused on the perimeter. But with zero trust, security is focused on the data — which means that IT and security teams need to change the way they think about security,” Axiad noted.
How to overcome roadblocks
To build a strong zero-trust security framework, organizations should first determine which of their data and systems are sensitive, and then make sure they know where the data is located.
User access to specific data and systems needs to be granted based on the various job functions and has to be constantly monitored. Enforcing strict authentication and authorization can keep attackers at bay. Another essential aspect of zero trust is encryption, as it protects data during both transit and storage.
But organizations should not leave it at that. They should continuously monitor network traffic and user activity to timely identify potential risks.
Zero trust also pushes for micro-segmentation as it breaks down networks, workloads, and applications into smaller, more detailed segments and makes it harder for attackers to move around and/or to spread malware to many company systems.
Finally, organizations should make sure their employees are on board with security best practices and aware of the many convincing ways threat actors will try to access a company’s data and assets.
Yet, all of this first needs a plan. Organizations should start slowly and by pinpointing specific issues that need attention.
They should assess legacy investments to determine areas where zero trust can have the most impact, and then engage key stakeholders by giving them a clear perception of what teams require to be more productive whilst keeping security in mind.
Leveraging external expertise (professional services or managed security service providers) may help when there’s insufficient knowledge within the organization.