Succeeding with Zero Trust

Ryan McConechy at Barrier Networks explains how to overcome the common pitfalls organisations encounter when adopting Zero Trust

 

As cyber-crime continues to intensify against all industries, many of today’s forward-thinking organisations have turned to Zero Trust to limit their exposure to attack.

 

Zero Trust flips the traditional ‘trust but verify’ ethos on its head. Instead, nothing in the digital infrastructure is trusted inherently and all employees, applications and devices are given the minimum number of privileges required to perform their jobs.

 

This offers many security benefits to organisations, not only minimising the blast radius of attacks, but also limiting the chances of criminals exploiting a user or vulnerable device, then escalating their privileges to travel across the network before executing ransomware or performing a data breach.

 

However, because Zero Trust is a relatively new security concept, many organisations encounter problems with their adoptions. 

 

Zero Trust is not a ‘set and forget’ security approach; it’s not a product that can be switched on or off. Instead, it’s a journey that can take many months and it must be managed continuously. The ultimate goal is for Zero Trust to become embedded in an organisation, where policies can be efficiently applied as a business grows through people and technology. 

 

So, what are the most common mistakes organisations make on their journey to Zero Trust, and how can they be avoided? 

 

1. Fail to prepare, prepare to fail

The biggest hurdle organisations encounter with their Zero Trust deployments is a failure to prepare properly. This leads to surprises along the way or a lack of budget to execute the entire project effectively.

 

Having a strategy well defined before adopting Zero Trust is essential, this includes deciding what needs to be brought into the scope of Zero Trust, setting out deployment milestones, allocating the correct budgets for the project, as well as a plan around execution: Zero Trust Architecture can’t be achieved overnight; it is a methodology that takes time to fully develop and mature. 

 

2. You can’t protect what you can’t see

Visibility is an essential element of Zero Trust as security teams must be able to see all assets on the network for it to function properly. 

 

A lack of visibility is a common pitfall organisations encounter when migrating to Zero Trust, and it can seriously impact their adoption as it could lead to blind spots that could be exploited by adversaries. 

 

On the journey to Zero Trust, organisations must ensure they have visibility of all devices, users and applications running on the network so they can set a baseline for acceptable behaviour. 

 

From a user perspective, this involves understanding who users are, where they are logging in from, at what time of day they are logging in, what they are accessing, and what devices they use to access the corporate network. From a device standpoint, this means understanding what devices do, what they are connected to and what is classified as acceptable behaviour for each device. From an application perspective, this involves understanding what components should communicate with each other and what protocols are common to these communication pathways.

 

If organisations don’t carry out this analysis before Zero Trust is adopted, this can impact employee productivity, which can, in the worst cases, lead to executive decisions to cancel the project entirely.

 

This is something which must be avoided.

 

3. Disparate vendors can lead to gaps

Another key challenge organisations can encounter is adopting solutions in their Zero Trust project which don’t integrate well. This can lead to gaps, or cause problems with the adoption that cause it to stall or fail. 

 

Organisations must assess solutions in the planning stages of their Zero Trust journey to ensure all the products integrate properly and don’t lead to gaps.

 

4. Complacency leads to breaches 

Another critical risk organisations must work to avoid is a failure to test their Zero Trust adoption. If organisations don’t test the policies they establish, this means they could be misconfigured, which could lead to breaches.

 

Organisations must test by trying to circumvent their Zero Trust policies and these must all fail. Employees should never have a way to bypass Zero Trust, when adopted correctly, it should be imposed on users and never something they can decline using. 

 

When organisations don’t run this testing, their complacency could lead to breaches. 

 

5. Zero Trust should become a standard business process  

Zero Trust shouldn’t cause lots of disruptions to the efficient running of a business. 

 

In the adoption stages, organisations will encounter problems, they will never get it perfect the first time around, but any policy tweaks should be remedied quickly without seriously impacting employee productivity. 

 

The end goal of any Zero Trust project is for it to become engrained in the business. When new users come on board or new systems are introduced, the organisation should eventually come to a place where it can easily and quickly apply Zero Trust policies, either because they have done it before or because they already have templates or policies that they can reuse. 

 

It should become a standard business practice, that is routine to the security team while going largely unnoticed to employees. 

 

Organisations can use AI tools to support this, where the technology automates Zero Trust policies on users and devices as they are onboarded.

 

Zero Trust offers many benefits to organisations, but adoption takes time. Planning is critical, and when organisations do this well, they are more likely to succeed with their projects, allowing them to reap the full benefits Zero Trust offers.

 

---

 

Ryan McConechy is CTO of Barrier Networks 

 

Main image courtesy of iRockPhoto.com