The information technology landscape is evolving at a feverish pace. New technology is paving way for new ways of working. The pervasive nature of connectivity, especially, has redefined how employees work – employees increasingly dictate where they want to work from, which device they want to work on, and which tools they want to use that best enhance their productivity. The cloud, especially SaaS applications, has given birth to a new breed of IT.
The past year has fuelled this trend, as companies have been forced to improve their remote work capabilities. Remote work has risen exponentially over the past year. Some see this as a catalyst for the so-called digital transformation. But behind the scenes, this emergence of often untrusted devices (BYOD) and an increased adoption of unsanctioned applications (a trend called “Shadow IT”) has led to security nightmares for IT departments.
Legacy security tools that relied on a perimeter-based security approach have shown how inadequate they are in addressing this influx of remote work and Shadow IT. The Zero Trust concept, though coming of age, has never been more relevant. Based on the notion of “never trust, always verify”, Zero Trust has given enterprises some guiding principles to build a new security stack that is better suited for the modern-day organization.
The path to a Zero Trust posture is not linear, and the tall claims by security vendors often cloud the decision-making. We have asked leading information security professionals what the challenges are for organizations to achieve Zero Trust. Here is what they told us.
Ambler T. Jackson, Senior Privacy Subject Matter Expert
One of the biggest challenges to achieving Zero Trust is readiness. Implementing a Zero Trust security model is more important now than ever due to the increased need for employees to work from home as a result of the COVID-19 pandemic. Companies have the incredible challenge of understanding and responding, not only to more modern cyberattacks, but also to a more complex threat landscape – one that includes more mobile employees than ever before. Depending on the maturity of the company’s security program, Zero Trust readiness may be viewed as much more overwhelming than prior to the pandemic.
Technologies that support Zero Trust are advancing, and companies are working hard to bring a variety of solutions to the market, which increases a company’s options. Choosing the appropriate strategy and the best technology to meet the particular needs of the organization requires the right leadership, meticulous planning, time, and resources. It’s about much more than just a change in mindset or a cultural shift.
Angus Macrae, Head of Cyber Security
One of the biggest challenges is likely to be, how you actually make the transition to a Zero Trust model whilst still having to maintain investment from your previous IT security tools and architectures, which were likely built around more perimeter-based models. For most organizations, the move to Zero Trust is more likely to be an evolution than a revolution or a single-point-in-time achievement. It requires a fundamental change in mindset. However, from a non-technological perspective, it becomes more vital than ever that an organization and its IT department genuinely understand the assets it is trying to protect.
Sarah Clarke, Data Protection & Security GRC, Infospectives
When I became aware of Zero Trust as a term, then as a concept, I struggled to work out the value-add. I've always flagged surrounding context as the essential ingredient when assessing risk, but I've also had the luxury of working in bigger firms with budget to look up from firefighting to do that. The lion’s share of risk is inside your perimeter, and out in the unguarded wild.
Arguably, the biggest challenge is that people are prone to accidents and intentional or coerced friction-smoothing misuse, while connecting through, or working on various devices. Primarily, you need a useful way to rate relative risk across resources, assets, and locations. Then you can prioritize deeper assessment, monitoring, and control. However, that’s dependent on how much of the tech stack you can actually change. How hard can we lock down layered and interconnected clouds, mobile devices, and the ever-multiplying black-box ‘things’ sharing nearest internet connections?
Ross Moore, Cyber Security Support Analyst
Perhaps the biggest challenge is getting authorization from corporate leadership. Like any other large project, it gets approved based on business numbers and confidence. Prior to full approval, it can be done piecemeal. An obstacle in receiving resources for the project is the large resource cost. The cost is spread out across multiple business domains, including time, technology, infrastructure, and skilled personnel to manage all of the aspects. The lack of a single-source or one-time solution makes the process complicated, though not impossible. While some of these costs, such as multi-factor authentication (MFA) or endpoint detection and response (EDR), could reasonably be demonstrated to have a business return on investment (ROI), other aspects may be tougher to quantify. Take it a step at a time by looking at your Zero Trust roadmap and picking the items that have an easily demonstrated Return on Investment (ROI), and those that have the largest leverage.
Christopher Budd, Consultant, Writer
Zero Trust has always been relevant, but we’re now reaching the point where its necessity is meeting or exceeding its relevance. The reason for that, is that changes in the composition of networks have unveiled the illusion that “networks” can be trusted.
Starting with moves towards BYOD, which introduced uncontrolled devices into perimeter networks and now culminating in the sudden, widespread adoption of work-at-home because of COVID, we’re seeing that network composition can’t be trusted, so Zero Trust is necessary. The thing is, we should always have been viewing our networks through a Zero Trust prism because that’s the only way to be sure.
Christine Izuakor, CEO at Cyber Pop-up
The obvious concern today in this remote era is that people and data are all over the place, with porous geographical boundaries. It's in your employee’s living room. It's in their basement. It's in the coffee shop. It's in the personal iPad that someone is sharing with their child for school assignments. It's all dramatically opening up the risk landscape.
This was already a challenge before, but it's been bolstered by the current remote work uptick. Remote work is a good thing for the future of business and the way that we work, but it requires meticulous management of access to organizational resources in order to control the cybersecurity risk that comes along with it. The question really becomes: with all of this data and movement, and this change in environment, who can you trust? That's where the concept of “never trust, always verify” or “Zero Trust” becomes critical.
Haroon Malik, Cyber Security Director (EMEA), 6Clicks
In theory, "trusting nothing and verifying everything" should provide a simple solution for cybersecurity. In practice, however, Zero Trust brings a host of complications and new challenges, especially as there is now an increasingly distributed and remote workforce using devices ranging from IOT, mobile, and robotics. Some of the main challenges include legacy systems and applications that are generally hard to reconfigure or redesign to fulfil the micro-segmentation requirements of Zero Trust.
Zero Trust Out-of-The-Box does not exist – it is not a product. It is typically a time-consuming and expensive programme that needs to be built from the ground-up to fit each individual organisation’s needs. The key challenge is mapping the flows of sensitive and critical data, identifying who needs to have access to it, and what approach can be used to secure it. This can be a hugely complicated exercise involving multiple stakeholders.
Randy Skopecek, Solutions Architect, PLM Insurance Co.
Three things come to mind to achieving Zero Trust: Corporate Support, Risk Awareness, and Ability to Execute. Absent these, you will end up fighting your own employees, let alone customers, which will waste almost all your time. Being aware of the risks that need to be addressed can be very broad, especially depending on your company’s business. Having an inventory and continually adding to it is important when you realize more and more of your risk profile scope. Finally, having the competence to execute is critical. Size-up whether you can address one of the risk objectives, or if you need help. Help can simply be guidance, but not implementation, to keep costs manageable. Then again, don’t overstretch and instead compromise your infrastructure.
Chris Hudson, Security Architect, Tripwire
I have seen two key challenges that organizations struggle with when getting started with Zero Trust - getting application tooling to support Zero Trust initiatives, and pitching the new controls to the rest of the business. For the first challenge, it's important to consider what aspects of your existing implementation can be used to power Zero Trust processes, and that may require thinking not just about classic security tools (such as antivirus, firewall logs, and similar tools). The other consideration is how line-of-business applications handle authentication and access controls to effectively validate "trust per transaction" rather than just "security at the threshold".
Some organizations may find it difficult to frame Zero Trust as a practical option, with many companies believing that it's on the wrong side of the "security versus ease of use" scale. Fortunately, this concern can be easily addressed with a CISO who is prepared to talk about the mechanisms behind a Zero Trust approach in an understandable way.
Gabriel Whalen, Manager Information Security Solutions, CDW
As someone whose information security career started in the intelligence community, I can appreciate Zero Trust programmatically as a way we should be securing anything we particularly care about. In that same context, I would caution the principal of Zero Trust needs to be applied beyond technical means. Human resources, training, and building a culture of security adherence is the last line of defence and perhaps the most important.
If you would like to discover what the experts have said and what advice they give to overcome these challenges and achieve Zero Trust security, read our eBook here.