What’s the secret to overcoming common roadblocks when implementing Zero Trust
The concept of Zero Trust dates back more than a decade, when forward-thinking CIOs realized that digital expansion was making perimeter-based security obsolete. As digital connections with acquisitions, contractors, customers, banks, government agencies, and business partners proliferated, the traditional wall of security surrounding the enterprise became increasingly porous. The global pandemic accelerated trends like remote work and work from home, extending the perimeter to remote locations and people’s homes, making security extremely difficult to manage with traditional perimeter-based technology, identity, and policy frameworks.
As enterprise technologies moved to the cloud and remote worker populations soared, the need for security beyond the traditional perimeter took on greater urgency. In 2010, a Forrester researcher – let’s give John Kindervag his due credit – crafted the term “Zero Trust” to describe a modern framework for enterprise security in a perimeter-less ecosystem. Kindervag made it clear that Zero Trust could not be achieved through a single product or technology. Rather, the framework guided a highly disciplined approach that called for all users, devices, and systems to be authenticated before connecting, then continually verified while engaged with accessing networks, systems, and data.
Growing risk drives big talk, but little action on Zero Trust
That was 13 years ago. Since then, we’ve seen cybercrime become an $8T (USD) annual industry, 83% of organizations have suffered a breach, and the average cost of those events has surpassed $4.5M (USD). Analysts warn that cybercrime will surge to even higher levels as hackers increasingly add the power of quantum computing and tools such as phishing-as-a-service and ransomware-as-a-service to their arsenals. Most cyber incidents can be tracked back to compromised credentials and security frameworks not planning for cyber resilience – i.e how to ensure business continuity in case of a breach.
And yet, adoption of Zero Trust principles has been slow due to several factors:
- Fuzzy line of sight to business outcomes: IT and security professionals have been challenged to create a line of sight between Zero Trust implementation and goals for the business.
- Big bang IT project orientation: With limited budgets and a long-term shortage of cybersecurity staff, moving to a strategy where every user, device, system, and application represents a new perimeter can appear daunting – and easy to put off until more time and more resources are available.
- Cyber insurance was sufficient: We’ve seen in some the attitude that risk of a cybersecurity incident is tolerable – and the cost would be covered by cyber-insurance policies.
Finally, there remains confusion over what Zero Trust is. Technology vendors get some of the blame here, often presenting Zero Trust as a tech re-platform project, rather than an infosecurity paradigm shift, where you can measure and plan your road to maturity.
No more. Today, we’re clearly at an inflection point. In the U.S., the White House has directed federal agencies to adopt Zero Trust principles by 2024. And the release of the latest Cybersecurity & Infrastructure Security Agency (CISA) Zero Trust Maturity Model has moved the concept from buzzword to blueprint, providing that roadmap for addressing the key pillars of a Zero Trust architecture. Version 2 of the model adds an additional maturity level, recognizing the fact that getting to an optimal maturity level is a huge leap for any organization. Enterprises are rapidly engaged as well, with PwC reporting that 36% of CISOs say they’ve already started to implement components of Zero Trust and another 25% plan to start in the next two years.
But achieving maturity will take time; Zero Trust is a journey and an ongoing effort to coninuously improve and enforce controls. CISA makes it clear that there is no one solution to get to Zero Trust maturity, and that implementation will take strategic backing, time, and investment. The upside: With each step a maturity model approach enables improvement to the organization’s risk posture.
Breaking through roadblocks to overcome inertia
Success requires two high-level commitments – with a number of practical steps to support them. The first comes from the board or C-suite. No senior leaders or board members are unaware of the cost and ubiquity of cyberattacks. They get it. IT is the environment for innovation, the conduit for sales, the connectivity to customers, and the engine for market expansion. Boards and CEOs need to invest in digital infrastructure like it’s the core business, not just departmental overhead. Building the business case for that mindset shift requires a dedicated strategy on the part of IT and security leaders.
The second commitment is patience – across the enterprise. Start by evaluating your current state, and from there plan out how you will grow into a Zero Trust posture – rather than simply buying a new tech platform and, inevitably, underdelivering on results. Getting to Zero Trust maturity require integration of carefully selected and integrated security technologies. But you can’t deploy a new tech stack and say, “Check Zero Trust off the list.” What you can do is work with your team and your partners to make sure the tech meets you at your Zero Trust maturity level. Your IT security teams and business leaders need to be in sync with an evolving framework that gets smarter, more agile, and more secure over time.
These two high-level commitments provide the sustained momentum for change. But building an effective Zero Trust framework requires strategic guidance to funnel that momentum in the right direction. Entrust has helped a number of organizations design, launch, and maintain their frameworks over the past several years. We’ve collected several insights and best practices from those engagements and distilled them into a quick-read ebook titled “Building a Solid Foundation for Your Zero Trust Framework.” You can download the ebook here.
Get more Zero Trust insights from the Entrust Cybersecurity Institute here.