The Office of Management and Budget and Cybersecurity and Infrastructure Security Agency recently released request for comments on three new draft guidance documents meant to accelerate zero-trust adoption among government agencies. The documents are part of the Biden administration’s push to improve the nation’s cybersecurity, and are meant to offer a roadmap to sustain a multi-year push towards zero-trust.
Along with the federal government, companies in the private sector are also rolling out zero-trust, with 48% of security leaders admitting they’re prioritizing implementing zero-trust principles as part of their security strategy. With the increased interest also comes an increase in mass confusion, especially as organizations around the globe look to speed up zero-trust adoption amid the evolving, increasing cyber threat landscape. But before they can begin, they must truly understand the main benefits of zero-trust and its adoption challenges.
Think of zero-trust as a cybersecurity concept, similar to defense-in-depth. In zero-trust, any entity trying to connect to an enterprise resource should be validated for compliance against a set of predetermined attributes before it can connect and stay connected to that resource. In effect, zero-trust considers anybody and anything operating inside or outside the enterprise network as hostile.
While traditional security measures offered implicit trust within the perimeter, given today’s dynamic threat landscape, enterprises need to assume the threat can come from anywhere – companies should then vet every entity accessing enterprise resources. The security paradigm with zero-trust moves from “comply to connect to a network” to “comply to connect and remain a resource.”
The main benefits of zero-trust
Implementing zero-trust comes with immense benefits, some of which include:
- Better visibility: Too many organizations lack visibility and experience blind spots. With zero-trust, organizations and resources are continuously monitored so security teams know exactly who accesses what and their state so vetting takes place continuously.
- Improved security: Since entities are vetted continuously on their privilege to connect and remain connected, any deviations will trigger non-compliance and the entity being disconnected, ultimately bolstering security across the organization.
- Shared responsibility: In the traditional security environment, the onus of protection has been primarily on IT and security teams, driving up enterprise costs and resource needs. With zero-trust, the employee has the responsibility to ensure they access corporate assets within set parameters.
- Efficient IT management: For effective and efficient security, zero-trust dictates the use of automation capabilities. Organizations can do the activities and tasks, such as evaluating an access request, verification against attributes, or implementing a rule through automation. Orchestration of workflows help drive efficiencies further.
- Extend protection at scale to remote workers: The pandemic has taught us that VPNs are not the most effective when it comes to remote work. Additionally, current security practices do not effectively account for the proliferation of cloud and mobile devices. Zero-trust, when properly implemented, can alleviate these challenges.
- Cost savings: Traditional IT security has been built with a defined enterprise perimeter in mind that has made it very difficult to accommodate new technologies like cloud and mobile. Zero-trust helps simplify security practices without diluting them, and removes many of the burdens IT teams face today with traditional security.
- Reduced attack surface: Since zero-trust focuses on securing enterprise resources and not on an enterprise perimeter, controls are focused on resource-specific access.
Barriers to adoption
Any paradigm shift does not affect a specific technology alone, but also the people, processes, and culture associated with it. Think of zero-trust as an evolution of the security paradigm that can accommodate new trends such as the cloud, mobile devices, and remote work. As the traditional enterprise perimeter disappears, enterprises have to consider external resources that are now part of the enterprise ecosystem. As a result, zero-trust requires continuous monitoring and the ability to bring together relevant data from different sources.
Please don’t think of zero-trust as a single-packaged solution. Instead, view it as essentially rethinking enterprise security and cutting across silos. This requires a holistic approach, including understanding business priorities, critical resources, and attributes that are necessary to protect them. Security teams often get confused about zero-trust when security companies market it as a product rather than as a concept. It's important to understand that the company can't just buy it, implement it, and then walk away. Zero-trust is more about shifting the mindset of the company's security posture overall and instilling it throughout the entire organization.
Just like with any major endeavor it’s advisable to start small. Understand the outcomes desired, define and implement the solution to achieve such outcomes, and then proceed to the next step.
By taking zero-trust one step and best practice at a time, organizations can better position their operations to implement the paradigm shift, reaping immense benefits. As the term continues to make waves across the industry, security leaders -- and the organization at large -- must first understand zero-trust principles. Only through a solid understanding can organizations successfully implement zero-trust. As with anything, education and awareness are paramount.
Ashok Sankar, vice president, product and solutions marketing, ReliaQuest