Interest in zero-trust security has heightened significantly over the past two years among organizations looking for better ways to control access to enterprise data in cloud and on-premises environments for remote workers, contractors and third parties.
Several factors are driving the trend, including increasingly sophisticated threats, accelerated cloud adoption and a broad shift to remote and hybrid work environments because of the pandemic. Many organizations have discovered that traditional security models where everything inside the perimeter is implicitly trusted, does not work in environments where perimeters don’t exist and enterprise data and the people accessing it are increasingly distributed and decentralized.
A Biden Administration Executive Order in May 2021 that requires federal agencies to implement zero-trust security has heightened interest across the board. In a survey of 362 security leaders that Forrester Research conducted last year on behalf of Illumio, two-thirds of the respondents said their organizations planned to increase zero-trust budgets in 2022. More than half (52%) expected their zero-trust program would deliver significant, organization-wide benefits and 50% said it would enable safer cloud migrations.
Cybersecurity vendors, sensing a big opportunity, have rushed to market an array of products labeled as zero-trust technologies. An informal survey that analyst firm IT-Harvest conducted of websites belonging to some 2,800 vendors showed 238 of them featuring zero-trust prominently. “After the White House and CISA issued guidance to switch to a zero-trust approach, everyone wants to align with the concept,” says Richard Stiennon, chief research analyst at IT-Harvest.
The hype around these technologies has caused considerable confusion, prompting Forrester Research, the analyst firm which first introduced the concept, to clarify its definition for modern zero-trust earlier this year. “Fake news propagated by security vendors about Zero Trust caused confusion for security pros,” Forrester said. “Zero Trust is an information security model that denies access to applications and data by default. Threat prevention is achieved by only granting access to networks and workloads utilizing policy informed by continuous, contextual, risk-based verification across users and their associated devices.”
Here are five mistakes organizations need to avoid when implementing a zero-trust security strategy:
1. Assuming Zero-Trust is all about ZTNA
Implementing zero-trust network access (ZTNA) is critical to achieving zero-trust. But ZTNA alone is not zero-trust.
ZTNA is an approach for ensuring that remote employees, contractors, business partners and others have secure, adaptive policy-based access to enterprise applications, and data. With ZTNA, users are granted access on a least-privileged basis, based on their identity, role and real-time information about their device security status, location, and a variety of other risk factors.
Every access request to an enterprise application, data, or service, is vetted against these risk criteria and access is granted only to the specific resource requested and not the underlying network.
Over the past two years, many organizations have implemented or begun implementing ZTNA as a remote-access replacement for VPNs. The sudden shift to a more distributed work environment because of the pandemic overwhelmed VPN infrastructures at many organizations and forced them to look for more scalable alternatives.
“A major use case driving ZTNA is VPN augmentation or replacement, itself driven by a heretofore unseen scale of remote work,” says Daniel Kennedy, an analyst with 451 Research, a part of S&P Global Market Intelligence.
VPNs historically were about providing access to a corporate network rather than specific resources, which these days could be hosted anywhere. Backhauling traffic through a VPN and then back out to resources hosted outside of a corporate network is applying an unneeded step, Kennedy says. “ZTNA provides access on a more granular level and revalidates that access instead of only providing an authentication gate at the start of access.”
But ZTNA is only part of the zero-trust story. An organization can’t credibly say they have implemented zero trust without having implemented either—or preferably both—privileged identity management and micro-segmentation, says David Holmes an analyst at Forrester Research.
Forrester defines micro-segmentation as an approach for reducing the impact of a data breach by isolating sensitive data and systems, putting them into protected network segments and then limiting user access to those protected segments with strong identity management and governance.
The goal is to minimize attack-surface and limit fallout from a breach. Key to zero-trust is ensuring that users, including those with privileged access to admin functions, don’t get more access to apps and data that they need, Forrester says.
2. Confusing zero-trust with a product
There are many tools and products that can help organizations implement a zero-trust strategy. But don’t confuse them for the strategy itself.
“A zero-trust philosophy is basically no longer extending implicit trust to applications, devices, or users based on their source,” says Kennedy. Instead, it is about implementing a default deny/least privilege approach to access with a continuous assessment of risk that can change based on factors like user or entity behavior for example, he says.
When considering technologies for implementing the strategy, ignore the labels and look for products with capabilities that tie back to the fundamental principles of zero-trust as originally defined.
“Terms evolve, of course, as this one has,” Kennedy says. “But they do come with connotations. So, associations with product approaches must be rooted in some realistic connection to the philosophy outlined.” This means having technologies that support key zero-trust principles such as micro-segmentation, software defined perimeter and device integrity.
“The biggest disconnect I see that is causing unmet expectations is confusing a zero- trust strategy or philosophy with a specific product implementation,” Kennedy says.
3. Assuming you can achieve zero-trust without basic security hygiene
Deploying the right tools alone is not enough if you don’t pay attention to the fundamentals, says John Pescatore, director of emerging security trends at the SANS Institute.
“On the operations side, the big mistake is thinking you can achieve zero-trust without first achieving basic security hygiene,” he says. “If you can’t trust endpoints to be configured securely and kept patched; if you can’t trust identities because reusable passwords are in use; and if you can’t trust software because it hasn’t been tested, then achieving zero trust benefits is impossible,” Pescatore says.
Tools can help with the technological aspect of zero-trust security. But even with them, there’s a lot of brainwork that cannot be avoided, says Forrester’s Holmes. “For example, an organization still needs a cogent approach to data classification, and someone needs to audit employee and third-party privileges,” Holmes says. “Both are non-trivial, and usually manual, tasks.”
IT-Harvest’s Stiennon says a good approach for organizations to take is to first identity and review areas within the IT infrastructure where protection is based on some form of trust. For instance, it could be an employment agreement when an organization trusts users to abide by its policies. Or it could be a contract or service level agreement with a cloud provider regarding how they would (or would not) use the organization’s data.
“Once you have identified those gaps start filling them in with technical controls,” he says “You could monitor employees to see if they are complying with policy and certainly should be encrypting your data in the cloud so you do not have to depend on a provider’s good behavior,” Stiennon says.
4. Having poorly defined user access policies
A zero-trust approach can help organizations enforce adaptive, policy-based access control to enterprises resources that considers a variety of real-time risk factors, such as device security, location and type of resource being requested. When implemented correctly, the approach ensures that users only have access to the specific resource they request, and in a least-privileged fashion.
To do that effectively, security and IT administrators need to have a clear understanding of who needs access to what, says Patrick Tiquet, vice president of security and architecture at Keeper Security. That means enumerating all possible user roles and then assigning them based on job requirements and roles.
“Zero-trust is really a simple concept: users are granted access to resources required to perform their job function and are not granted access to resources that are not required,” Tiquet says.
For example, he points to a shared network drive that everyone in a 10-employee company might have access to. The drive contains sales, HR, accounting, and customer information which everyone in the company can access regardless of role. “There is a high amount of risk of unauthorized access, loss of data, theft of data, and unauthorized disclosure,” he says. “Properly applying zero-trust in this situation would restrict access, but not impact productivity, while drastically reducing risk to the company.”
Tiquet says it’s best to stick with well-defined access roles initially and then assign or unassign new access roles to individual users as needed.
5. Neglecting the user experience
Zero trust models have a big impact on end-users, so don’t neglect the user experience. “Authentication and access affect nearly all employees, so missteps are costly for CISO’s,” says Kennedy from the 451 Group.
When zero-trust initiatives are rushed without adequately preparing users for change, employee productivity can be impacted. A botched initiative or one that impacts users negatively can also have a bearing on the credibility of the whole effort.
“The steps to success are well worn,” Kennedy says. “Establish a desired end state for your zero-trust strategy, and methodically implement the different pieces with vendor partners,” he says. Plan, executive and test carefully to ensure that any extra steps being required of users enable commensurate security benefits, he says.