Enterprise firms continue to struggle with implementing zero trust solutions at their organizations. Even the 25% of respondents to a CyberRisk Alliance (CRA) survey who partially or fully implemented zero trust say they’ve had a hard time getting full buy-in from other departments when it comes to scaling these ideas across the enterprise.
While zero trust doesn’t solve all security issues, most security pros believe that it’s still superior to all other security models in that it’s tailor-made for today’s many digital challenges. Some of these include: the shift to cloud services and SaaS applications, the mass migration of the workforce to remote or hybrid work environments, the unprecedented spike in endpoints, and data sources operating beyond the traditional network perimeter.
The zero-trust framework assumes that an attacker has already infiltrated the network, executing a malicious attack. Trust never gets freely extended, and instead must always be “earned” (or provided proof of) through continuous verification and authorization of user credentials and other behavioral data. This approach to zero trust makes no distinction between users outside the network and those inside the network and eliminates the practice of “one-and-done” verification that previously determined successful access attempts.
Here are three highlights from the CRA zero-trust survey:
- Industry pros understand the need for zero trust. At least 4 out of 10 respondents say they are actively pursuing zero trust with either a zero-trust strategy or implementation.
- Most everyone understands that major challenges are ahead. Nearly two-thirds of future adopters believe it will be moderately difficult to implement zero trust. Some 30% say it will be very difficult.
- Organizations are focused on data and cloud security. Sixty-nine percent say they are focused on data security, while 51% said their organization’s priority with zero trust is cloud security.
The vast majority of respondents understand that zero trust will require strategically reassessing how to secure the entire infrastructure to address challenges of remote or hybrid offices, multi-cloud environments, identity and authentication, and rapidly expanding endpoints.
As part of the research, CRA offered four recommendations for enterprises in how to organize their companies so they can manage the transition to zero trust:
- Survey all assets and resources. In bringing zero trust to a company, organizations need full visibility into all assets, identities, data flows, and workflows. Without this, the organization can’t determine whether to revise or create new processes or policies under the zero-trust framework. Once these many assets are accounted for, the organization can continuously monitor them to see how changes in policy affect these assets.
- Create zero-trust pilot programs. Pilot programs can give users the experience of applying zero-trust principles and learning from their mistakes, without any of the pressure that comes from forcing them to accept zero-trust all at once. By giving different teams a glimpse into how their access rights and responsibilities might change under a zero-trust framework, organizations can collect critical user feedback to inform how to move forward with a real implementation.
- Look for applications with minimal friction. Going zero trust doesn’t mean throwing away every facet of the organization from the pre-zero-trust days. Look for areas where the team can apply zero trust with minimal disruption to personnel and workflows. Once these practices become ingrained, it becomes easier to go after the more critical applications.
- Seek out the experts. There are many steps and processes that fall under the category of a zero-trust implementation. To stay the course, we advise organizations to seek out expert organizations that have contributed to zero-trust scholarship. NIST’s 800-207 Zero-Trust Architecture, released in 2020, still stands as the gold standard for understanding the requirements, challenges and nuances of implementing zero-trust. Other federal bodies, like NSA and CISA have also published their own guidance and recommendations.
Respondents told CRA that they are finding it difficult to find potential employees with zero-trust skills, and that setting up training programs to develop those skills has also been challenging. Companies understand that they have to move in this direction — and most have. The industry has a challenging path ahead, but with the threat landscape so prolific, there’s really little choice but to continue the journey.