Check out all the on-demand sessions from the Intelligent Security Summit here.
While the value and importance of zero trust network access (ZTNA) today can hardly be overstated, there are numerous accounts of failed attempts at achieving it, particularly in smaller and medium businesses. Zero trust has a deserved reputation of being difficult both to initiate and to maintain. The premise or promise makes perfect sense, but the practice has become unfeasible for many.
A new look at zero trust shows that it does not necessarily have to be complicated. In fact, zero trust can be incorporated into familiar existing security solutions rather than implemented as separate solutions or something completely new and difficult to master.
Three factors often mean the difference between zero trust being successful or unsuccessful, and, surprisingly, they are not arcane technical details, but rather principles of management.
Easing the path to zero trust
The first factor is overall complexity. It is often noted that complexity is the enemy of security. Overly complex and difficult solutions and policies make security unusable and promote workarounds that circumvent the solution or practice. The old Post-It notes with passwords on the side of an employee’s monitor as a way to deal with stringent password policies used to be a good example of this.
Intelligent Security Summit On-Demand
Learn the critical role of AI & ML in cybersecurity and industry specific case studies. Watch on-demand sessions today.
From a solution or architecture standpoint, incorporating zero trust into an existing solution — as long as it serves the requirements — helps to reduce complexity. Eliminating the need for yet another system or tool to install, maintain and keep current with various changes alleviates staff workloads and yet another thing to have to deal with. Extending an existing, familiar system to provide zero trust is far preferable.
Some security suites or platforms are or will be incorporating full-service zero trust. Managed cybersecurity services may also bundle zero trust with their offerings. Even modern VPNs for small and medium businesses have incorporated or will be incorporating a relatively easy way to achieve a zero trust posture.
>>Don’t miss our special issue: Zero trust: The new security paradigm.<<
Accommodating modern realities
The second factor is lack of suitability for the realities of today’s cloud-everything, primarily distributed organizations. If a zero trust architecture needs components to be deployed on networks fully under one’s control, or is based on traditional on-premises networks and data centers, it will probably undermine the success of a rollout. If SaaS applications, the use of public cloud for data and resources and the prevalence of a mostly or fully remote workforce cannot be fully accommodated, the zero trust solution is destined for failure.
Web3 and metaverse technologies must also be accommodated if zero trust is to be successful. Gartner, in conjunction with its Gartner IT Symposium/Xpo 2022, projected that “Through 2027, fully virtual workspaces will account for 30% of the investment growth by enterprises in metaverse technologies and will ‘reimagine’ the office experience.”
Failure may be a problem of “you can’t get there from here” that prevents necessary work or information flow from occurring. It also may be one of instituting too much complexity that thwarts or limits employees’ natural work styles.
A recent Verizon Mobile Security Index report showed that 66% of employees expect that they will have to sacrifice security for speed to meet business or job requirements. Another 79% said that they have already had to make such a trade-off to meet a deadline or objective. This means that for zero trust to be successful, it cannot impede work efficiency and speed. It must fit existing work styles, workflows and expectations.
Thwarting the unknown unknowns
The third factor is the failure to address both intentional and unintentional threats. Zero trust is not simply about access or proven identity and authorization in the traditional sense. Those aspects are certainly crucial, but other things contribute to achieving zero trust. It must thwart malicious actions but also ones that are completely accidental. The ability to assign or utilize fixed IP addresses, for instance, helps ensure greater certainty of both the user and the resource they are trying to access.
Another aspect might be the way that an encrypted tunnel — either as a VPN or a part of the communication between an application, such as email or a CRM, and a user — begins and terminates. Gaps could cause vulnerabilities that attackers could target to circumvent zero trust protections.
Still another aspect might be the need for an automated way to perform a status check on the user’s access device to ensure that it meets the required standards for security.
Zero trust failure is not an option
In addition to the above three factors, success or failure may hinge on clarity and understanding of things like the complete attack surface of one’s organization or the collaboration patterns of employees and departments. The zero trust architecture may not correctly recognize existing data flows or business processes. Not being able to both protect and facilitate such things will always mean failure.
But failure of zero trust is hardly an option an organization can afford. With data breaches continuing to escalate and penalties for compliance violations rising and reaching levels that are material to companies, most agree that zero trust is a necessity.
Certainly failure of a zero trust project would put it in good company with other IT failures. According to Smart Insights, 63% of all CRM initiates fail, 70% of marketing automation projects fail and 84% of business transformation efforts fail. Still, zero trust does not have to be another inevitable tragedy. By rethinking how it can be achieved and incorporated within existing systems, infrastructure, work styles and anticipated future changes, you can greatly improve zero trust’s potential for success.
Michael Cizek is managing director at Global Automation and Identification Group.