Organizations are facing challenging times when it comes to securing their corporate assets, systems, networks and data. Digital transformation, proliferation of location agnostic technologies and immense data generation have created uncontrolled remote environments and a fragmented enterprise ecosystem, rendering legacy security policies and practices based on trust obsolete. Trust is now a risk.
For Zero Trust security, the solution to the trust crisis problem is to “never trust, always verify”. However, Zero Trust is not another technology, rather it is a journey. Businesses need to overcome many barriers to achieving Zero Trust. How can they change existing policies without meeting resistance or without introducing too much complexity and disrupting workflow efficiency?
We asked leading information security professionals what the biggest challenges organizations face during their journey to Zero Trust security. Here is what they told us.
Fareedah Shaheed, CEO and Founder, Sekuva.
“While the Zero Trust Model is usually referencing the technology, your co-workers play a big role in its success. Because of this, one of the biggest challenges is maintaining awareness and vigilance while people are working remotely. When people are at home, there is a different level of awareness than when they’re at work. Many are distracted by the change in the environment and they may not maintain the same security habits they used to exhibit in a physical workspace. This higher likelihood of mistakes presents a unique challenge to achieving the Zero Trust Model.”
Jenny Radcliffe, People Hacker & Social Engineer
“One of the challenges of a Zero Trust program is people resistance to change. We are usually unhappy when anything we are used to previously having, is suddenly becoming unavailable to us, even if we never actively used it. People resist ‘losing’ anything, both psychologically and technically, so we shouldn’t underestimate how quickly users learn to ‘hack’ the new system, or find ways to get around the limits of the program. Key to mitigating this is explaining why moving to a Zero Trust model has been adopted, so that the changes don't seem to be imposed for no reason. Success includes having staff on board, and key to that is making them a proactive part of the process.”
Michael Ball, Virtual Chief Information Security Officer, TeamCISO
“The biggest challenges to achieving Zero Trust I’ve seen to date is visibility of access, and understanding the value, criticality, and location of corporate data. Knowing who is on the network at any point in time, the context of their access, and whether their connectivity to corporate assets is appropriate to their role is a significant challenge.”
Tazin Khan Norelius, Founder, Cyber Collective
“Zero Trust has always been relevant, but given our current circumstances, it has now forced organizations to look at security outside of the traditional network perimeter. The biggest challenge is that full workforces are now operating from uncontrolled environments and most organizations were not prepared for this shift. Unfortunately, there isn't a magic tool that will be able to "fix" the issue, because you're operating on unpredictability: human behavior.
“An organization's employees that were once protected under a company network are now working from home, with or without proper VPNs, segmented networks, and possibly with unsecured devices, so your mitigation and incidence response strategy now includes elements outside of your traditional scope.”
BJ Gardner, Lead Systems Architect, PLM Insurance Co.
“Although my current employer has not yet adopted a Zero Trust security model, this is certainly a direction we are looking to move to further strengthen our remote workforce security. There are two major considerations for us: enhanced authentication security, and user workflow efficiency.
“In the case of user efficiency, now with a full remote workflow for user authentication, all devices are authenticating over an enterprise VPN client. Although this VPN infrastructure is efficient and current on its platform and software revision, it’s still a traditional security model and does not account for proper efficiency for cloud apps. Utilizing a VPN model also creates the scenario where users must add another credential set to their running list of usernames and passwords to remember. Moving to a Zero Trust architecture would help with this model if setup in a single sign-on, VPN-less architecture.
“Zero Trust will create enhanced security for all devices, mainly limiting connectivity to an enterprise application by device. Utilizing an enterprise MFA solution, married with an enterprise endpoint management platform, creates a multi-faceted approach to authentication into the systems. Another advantage will be the ability to bring mobile devices into the security model, as well as true device management capabilities.”
Justin Sherman, Tech Policy and Geopolitics Expert
“As the language of nationalism pervades our public discourse around technologies and their vulnerabilities, framing business security and supply chain security decisions in the language of trust is more important than ever. In an age of ever-evolving threats to digital technologies, as well as their globally complex and interconnected supply chains, Zero Trust can help business operators and decision-makers alike work to protect security.”
Didier Hugot, VP Technology and Innovation, Thales
“Zero Trust security is strongly related to the cloud and digital transformation trend which has been happening in the industry over recent years. This is seen in electronic messages, employee and customer data, and documents, all of which are no longer stored and processed only within the trusted perimeter of the enterprise, but outsourced to a wide range of third party providers.
“This new paradigm creates a large fragmentation in the enterprise’s ecosystem, which makes it very difficult to have a global visibility on where sensitive assets reside. It makes it even harder knowing that these data are transiting through different types of personal devices which are not necessarily under the control of the enterprise.
“Regaining this global visibility is a must, in order to enable consistent security policies across the enterprise.”
Haider Iqbal, Business Development Director, Thales
“One of the biggest challenges is inertia – organizations are so accustomed to and invested in the perimeter-based security model that it becomes a mental barrier to cross. Take the example of the forced work-from-home regime, and how most organizations have dealt with it – by buying more VPN infrastructure! Organizations that were still pondering over their Zero Trust journey or questioning if it’s merely a buzzword were caught off-guard and had to bear drastic productivity losses. Call it inertia, culture, or ignorance; the repercussions are now obvious.
“The other big challenge is not understanding that achieving Zero Trust is an ongoing journey that has multiple steps. Though there are some foundational technology capabilities that are a must, organizations tend to equate Zero Trust to implementing a single capability. There is no silver bullet that will make an organization achieve Zero Trust. This leads the CISO/CIO either into rush decisions or conversely into an analysis-paralysis phase, leading to unfavourable outcomes or no outcomes at all! This lack of understanding, partly attributed to the security vendors’ sales pitches, is a big inhibitor for enterprises’ Zero Trust journey.”
Jihana Barrett, CEO & Founder, CybrSuite
“As it stands, too many networks and applications run on an “assumed trust” system. Assumed trust leads to hackers moving laterally within a network with ease once they have access. With the Zero Trust model, all of that assumed trust is no longer an issue.
“One of the challenges with implementing the Zero Trust model comes from the employees. The ease of accessing applications and services on the network won’t be as simple as it once was. In this new model, employees will also have to contend with the restrictions that come with a “need to know” access policy, training, and implementation.
“In addition to the challenges created with employees, there are also challenges associated with integrating newer technology into legacy systems and poor configurations, potentially creating new access vectors for malicious hackers.”
Anders Lemke, Platform Architect and Lead Engineer, Zetland
“The biggest challenges when it comes to achieving Zero Trust are exactly the same as the challenges of all other IT development projects. Always remember that unnecessary complexity kills. Similarly, if the domain experts are not available to collaborate on the effort, you have a more difficult path to success. Respect the people using the system, or the change will create an environment of frustration.
“Although, while the challenges are the same, the stakes are way higher. When molding the two pillars of Zero Trust, authentication and authorization, you are meddling with the core of the user experience. Coming from the frictionless castle-and-moat model, where once you were inside the moat, everything flowed freely, moving to Zero Trust, where devices and people must identify themselves all the time, the user experience potentially suffers. This will erode the trust of the users, giving Zero Trust a whole new meaning.”
Stephane Nappo, Vice President Global Chief Information Security Officer
“Driven by de-escalation of often unmanageable security, we ought to rethink the model from one of ’cross border filtering security‘, to the ’transversal mastering of security in an open world‘ with Zero Trust Security.
“A ’trusted zone‘ is often a ’security blind spot‘, and not a defence tactic. The ’blind trust by default‘ is a subjective concept, and a proven advantage for adversaries. This ’blind‘ traditional concept is being challenged by the ever-increasing complexity of technologies and massification of their interconnections, the digital transformation of online businesses and open enterprise, and the unpredictability and escalating sophistication of cyber threats.
“A Zero Trust security model is much more than an IT concept or architecture. The Zero Trust approach is a new paradigm, an attitude, a philosophy. It is the way to rethink a prudent and convenient security of an open digital world, relying on fast evolving business models.”
If you would like to discover what other professionals have said and what advice they give to overcome these challenges, read our How Can You Trust an Untrusted Environment eBook.