Cybersecurity

Why Zero Trust Is a Cybersecurity Journey and How to Realize Continuous Improvement

Frank DomizioBy Updated:7 Mins Read
zero trust journey
Acceleration Economy Cybersecurity

In today’s digital landscape, cyberattacks are becoming more sophisticated and complex, making it increasingly difficult for organizations to defend against them. Traditional security approaches that rely on defending the perimeter are no longer enough to protect sensitive data and critical systems. This is where the zero-trust security model comes in.

Zero trust, which emphasizes the principle of “never trust, always verify,” has a number of advantages. It can:

  • significantly improve an organization’s security posture by reducing the risk of data breaches caused by insider threats, phishing attacks, or other sophisticated cyber threats
  • enhance network visibility
  • streamline access controls
  • enable organizations to respond quickly to security incidents and prevent them from escalating
  • allow employees to access the resources they need without unnecessary security barriers through use of identity and access management tools

Despite what some overzealous salespeople may try to get us to believe, zero trust is not a product that can be bought, a service that can be installed, or a server to put in a rack. Yes, you’ll probably need to buy some products or services to help you deploy the rich identity and access management (IAM) required by a zero trust architecture, but you should be leery of any vendor that tries to sell you zero trust “in a box.” Remember, it is a security framework that requires continuous adaptation and improvement to stay effective.

As such, we should think of zero trust not as a destination, but as a journey. Zero trust is a new way to think about the data, users, and devices on our network. It is a perpetual process of vigilance and distrust towards all elements within our IT environment. At times, the zero-trust journey may seem like a trip down endless and meandering roads. Think of our analysis today as a GPS to make your travel smoother.

Which companies are the most important vendors in cybersecurity? Click here to see the Acceleration Economy Top 10 Cybersecurity Shortlist, as selected by our expert team of practitioner analysts.

How the Journey Starts

A good way to start your journey is with five key measures as outlined in the National Institute of Standards and Technology (NIST) Special Publication 800-207:

  1. Develop a zero-trust architecture: This involves creating a blueprint of the organization’s information technology (IT) infrastructure and identifying all assets, network connections, and users.
  2. Identify and classify assets: Building on step 1, organizations identify and categorize all digital assets based on their sensitivity level. This step allows for better control over access to critical data.
  3. Create access policies: Access policies define who can access what resources based on the user’s identity, device, and location. This step is crucial as we shift from the perimeter defense model to a system that can make access determinations on the fly.
  4. Monitor activity and implement analytics: Organizations must continually monitor their network for suspicious activity to detect and respond to threats in real-time. They must also use analytics to identify anomalies and predict potential threats.
  5. Respond to incidents: The ability to respond quickly and efficiently to security incidents is critical in mitigating the impact of an attack. Organizations must have an incident response plan and regularly test it to ensure effectiveness.

NIST is widely known and trusted for developing cybersecurity guidelines and best practices, but it is not the only game in town. Each of the following frameworks offer a unique perspective on implementing a zero-trust security model and can be tailored to meet an organization’s specific needs:

  1. Forrester Zero Trust: This framework is based on Forrester’s Zero Trust eXtended (ZTX) model and includes seven pillars: network security, data security, workload security, device security, people security, visibility and analytics, and, finally, automation and orchestration.
  2. Google’s BeyondCorp: Google’s zero-trust framework is based on its own internal security model, BeyondCorp, which emphasizes user identity and device management as the primary components of its security architecture.
  3. Microsoft Zero Trust: Microsoft’s zero-trust model is based on the idea of a “never trust, always verify” security approach that focuses on strong identity authentication and strict access control.
  4. The Cloud Security Alliance (CSA): The CSA provides a framework for implementing zero trust in cloud environments, which includes defining access policies based on user identity, device trustworthiness, and data sensitivity.

Government agencies will probably lean towards NIST while organizations with a mature cloud-based environment may choose CSA. If your organization use Microsoft technology extensively, you may lean towards its framework, but if you are steeped in Google Cloud Platform (GCP), you may follow that model. You can even draw on individual elements from the various frameworks and create a hybrid. Ultimately, the key to successfully implementing zero trust is choosing a framework that aligns with your organization’s security goals and provides a clear path to achieving them.

Obstacles in the Zero Trust Journey

No journey comes without obstacles. While the gains from implementing zero trust are clear, the journey to achieving it is not without challenges. Resistance to change, comprehensive visibility, and complex integration procedures are just some obstacles you may face in the journey to zero trust. Here are my recommendations on how to respond to each of them:

Obstacle 1: Resistance to Change

Employees who are accustomed to more traditional security models and approaches may push back. They may resist new security policies or access controls that may seem restrictive or time-consuming. People are afraid of becoming irrelevant, and your IAM team may be terrified that zero trust will leave them in the dust. They may react by holding on for dear life to the old way of doing things.

To overcome resistance, organizations must effectively communicate the benefits of zero trust and provide employees with the necessary training to understand the new security framework.

Obstacle 2: Comprehensive Visibility

A zero-trust model requires organizations to have a clear understanding of their entire information technology (IT) infrastructure, including all assets, devices, and users. Achieving comprehensive visibility can be difficult, particularly in large organizations with complex IT environments. Organizations must invest in the necessary tools and technologies to gain visibility into their entire network and continually monitor for suspicious activity.

See the Cybersecurity Top 10 shortlist

To overcome this roadblock, organizations may need to invest in security orchestration and automation tools that can integrate multiple security products and tools into a unified security platform. These tools can help provide comprehensive visibility into the network, enabling security teams to quickly detect and respond to threats.

Obstacle 3: Integration Challenges

Many organizations have a variety of security tools and platforms in place, and integrating them into a cohesive zero-trust model can be complicated. Organizations may need to invest in new tools or technologies to bridge gaps in their security framework and ensure that all systems are integrated and working together effectively.

Sectors including healthcare and finance often rely on legacy applications. To integrate legacy applications and systems into a zero-trust architecture, you may need to implement additional security controls to mitigate any vulnerabilities or risks. This could involve deploying network segmentation technologies, implementing more granular access control policies, or using virtualization technologies to isolate legacy systems from the rest of the network.

Overcoming these challenges requires a deep understanding of the organization’s security landscape, a commitment to continuous improvement, and a willingness to invest in the necessary technologies and personnel. By successfully navigating these roadblocks, organizations can find themselves in the fast lane to successfully implementing zero trust.

Insights into the Why & How to Secure SaaS Applications_featured
Guidebook: Secure SaaS Applications

Closing Thoughts

With zero trust, you will significantly improve your security, but you will never be able to plant your flag atop zero trust mountain and celebrate victory. A successful zero-trust deployment requires a comprehensive understanding of the organization’s security landscape, an analysis of risks, and a commitment to continuous improvement. While challenges exist, a zero-trust model will remain a critical framework for mitigating cyber risks and protecting critical data and systems as threats evolve.

Want more cybersecurity insights? Visit the Cybersecurity channel:

Acceleration Economy Cybersecurity

Share.

Frank Domizio is an Acceleration Economy Analyst focusing on Cybersecurity. As a retired Philadelphia Police Officer, Frank got his start in cybersecurity while he was detailed to the FBI as a digital forensic examiner. Since then, Frank has held many positions in and around the federal government specializing in Cyber Threat Intelligence and Incident Response. Now, as a Federal Civilian for an Executive Branch Agency, Frank is a student of the strategy and leadership that goes into making a successful cybersecurity program. He is also an adjunct professor of cybersecurity at the University of Maryland Global Campus. Frank holds a Bachelor of Science in Computing Security Technology from Drexel University and a Master of Science in Cyber and Information Security from Capitol College as well as many industry certifications. As a Federal Government Employee Frank’s views are his own, not representing that of the U.S. Government or any agency.

Related Posts

Add A Comment

Comments are closed.