My career has involved spending a lot of time making the case for the Zero Trust cybersecurity methodology, writes John Linford, Security & OTTF Forum Director, The Open Group.
It is an idea which has been hotly debated during its meteoric rise, thanks in no small part to its seemingly paradoxical nature. Security, once, could safely be assumed to be an effort which seeks to establish trust, to verify identity, to guarantee safety – not something which seemingly accepts the impossibility of those goals.
That background means that early engagements with the idea of Zero Trust, from security professionals in organizations and the security vendors who supply them alike, were often fascinatingly and productively combative as we explored the implications of turning that traditional enterprise ideology of security on its head.
This very reason why the idea received so much attention is also why ‘true’ adoption of it has been slower than many would like. Typically, cybersecurity innovations and initiatives consist of new tools, better data sources, strengthened hardware designs, and other shifts which can effectively be plugged into existing systems with some greater or lesser degree of adjustment and configuration.
Zero Trust is different: rather than just sitting on top of what came before it, it calls for reworking of how security thinks and operates within an organization. That kind of shift requires a long road to travel for an individual security professional, never mind the inertia and complexity that a whole enterprise represents. As such, and even though the merit of Zero Trust thinking is now widely recognised, the conversation about putting it into practice is far from over.
Pitfalls
Today, that conversation has moved into a new phase. The question at the forefront now is not ‘what is it’, or even ‘how do we do it’, but ‘how do we get it right’. Cybersecurity professionals, both by nature and by training, are cautious operators, and it is understandable that an unspoken rule of ‘look before you leap’ is widely held.
That means that ‘what if’ questions about potential pitfalls come easily to the cybersecurity community; it is valuable to be able to ask questions around what might happen if a cloud security vendor itself suffers a breach, or an access tool is misconfigured, or an employee with security credentials is blackmailed.
Sure enough, with Zero Trust, there are important pitfalls that teams need to be aware of early in their journey.
For example, the need to re-verify identities means that the user experience of a Zero Trust environment can feel, at first, shockingly disruptive to users who are very familiar with traditional approaches. If users aren’t brought into this new approach deliberately, they’ll try to get around new requirements, so it is crucial to educate users about the changes and they benefits that come with them.
The bottom-up nature of transforming to a Zero Trust-based security posture means that the process of reworking and re-implementing essential tools can be an expensive, extensive endeavour, and can not be left half-done. This isn’t to say that existing tools and systems need to be entirely replaced; in fact, many existing tools and systems will and should continue, but they need to be supplemented by new tools and systems and should be replaced with better options where feasible.
All of that change also goes hand-in-hand with behaviour change: while security leaders might well be ready for the challenge of upskilling and reeducating security and IT staff, the labor involved in bringing the wider organization on-side with the new way of working can quickly spiral and cannot be left half done.
Pitfalls like these can be highlighted, learned from, and planned for. They mean that any Zero Trust initiative needs to be strategically planned as a long-term engagement – a journey, not a destination – which sees user engagement and education as being just as important as technical implementation, and which has full, enthusiastic buy-in from the most senior level in order to see the job through.
Starting from the bottom
And yet, even though there are key tips which can be shared which will help to shepherd Zero Trust projects towards successful outcomes, we should hesitate to see them as the full answer to the question of how enterprises can get Zero Trust right.
The reason for that is, again, that Zero Trust is unlike most other security innovations. While it is a good habit to search for risks before moving forward with changes, doing so can also develop a false sense of security: too often, teams can become so confident in the answers to issues they are aware of that they become complacent about the risk from issues nobody foresaw.
This simple fact is identified at the heart of what we should see as ‘true’ Zero Trust thinking. Indeed, the Zero Trust Commandments advocate that we should “assume failure and assume success” – which is to say, we are safest when we know breaches will occur (and prepare accordingly) and most resilient when we believe that any breach can be recovered from (and prepare accordingly).
Where security teams are looking to Zero Trust for their next evolutionary step towards a stronger security posture, the best advice is not to apply the most rigorous version of the planning and fact-finding processes they already know how to do, but to take a step back and question everything about how those processes operate in the first place, in light of Zero Trust thinking.
If that sounds like a tall order, the good news is that nobody has to do this alone or from scratch. Resources like the Zero Trust Commandments and the NIST SP 800-207 exist to set a solid baseline from which to work. They cannot promise to make Zero Trust projects fast or easy, but, informed by years of hard-won experience and debate, they represent the best route to making Zero Trust right.
