With cyber security incidents so prevalent, another result from the EY survey is impossible to ignore.
A recent Ernst & Young (EY) report revealed that in the past 12 months, 81% of organizations experienced an average of 25 cybersecurity incidents. Furthermore, 53% of the surveyed cyber leaders concur that in today’s digital environment, a secure perimeter is non-existent.
Given this stark reality presented and the pressing need to address gaping vulnerabilities, advanced security models like Zero Trust have emerged to address the security weaknesses of a data-driven, cloud-based world.
Zero Trust abandons the perimeter-based security approach in favour of the continuous verification of users, devices, and networks.
While this model has major advantages, it is not a bullet-proof solution. Let’s discuss where common weaknesses lie and how to overcome them.
What is a Zero Trust Model?
The basic idea of Zero Trust is to trust no one, inside or outside of the network. It assumes everyone is an actual or potential attacker and adopts an ongoing authentication process of credentials and behaviour.
Zero Trust policy doesn’t just apply to users, but extends to devices, data, networks, and workloads. Anything that attempts to access assets or resources must undergo a verification process that continuously monitors user activity.
To fully grasp the concept of Zero Trust, let’s compare it to its predecessor.
The older model envisioned a perimeter around an organization built of firewalls and security technologies. The organization was a castle, and its security perimeter was the moat. Once a user gained entry, they could access almost everything inside.
While the perimeter model made sense for decades, cloud computing and remote work demanded a rethink. If users and their devices were scattered across the country, and data was in servers around the world, where was the castle?
A presenter at the 2004 Jericho Forum planted the first seeds of a new idea. Paul Simmonds coined the term “deperimeterization,” recognizing that categories beyond “employees” and “non-employees” existed.
Several years later, John Kindervag of Forrester Research proposed the concept of “Zero Trust.” He pointed out the weakness of the perimeter approach: Its assumption that every individual and device inside the perimeter was trustworthy. Anyone who gained access—legitimately or illegitimately—had full access to everything by virtue of that initial entry.
Zero Trust eliminated the notion of a perimeter entirely. With no “edge” to defend, it requires trust to be confirmed every time users, devices, or applications seek access to systems, networks, or resources.
Zero Trust rests on a few basic principles:
- Strong user authentication - The use of multi-factor verification (MFA) or biometrics, and access and identity management (IAM) software.
- Principle of least privilege - There is no such thing as full access; authorizations are narrow according to needs and roles.
- Data segmentation - It’s unsafe to keep all resources in one storage area for anyone to access upon gaining entry; with Zero Trust, data is tagged according to different security levels and access is limited accordingly.
- Continuous monitoring - All systems, resources, and users undergo ongoing verification with user and entity behavior analytics (UEBA).
When activated by processes and technologies, these principles embody the motto of Zero Trust: “Never trust, always verify.”
Where are the Limitations in Zero Trust Architecture?
While Zero Trust is conceptually a strong model, translating that level of “mistrust” into everyday business processes can be an uphill battle. Here’s where most security professionals run into difficulty with Zero Trust implementation:
- Complexity: To set up Zero Trust architecture, organizations need to have a complete picture of their data and workflows. Every single resource and endpoint needs identifying, access control, and monitoring.
The challenge today is that organizational data is everywhere. It resides within third party cloud services, flows through supplier networks, and passes through payment provider systems. Employees use their own devices on site and remotely, adding more endpoints beyond the organization’s control. Mapping these connections takes time, technology, and personnel.
- Cost
It takes resources to implement Zero Trust—including the initial setup and ongoing maintenance. Pilot projects and process improvements before implementation can also be costly. Training employees about Zero Trust policy takes time, and the process needs repeating whenever people are onboarded or switch roles. After implementation comes monitoring. Software upkeep, managed services, and expert personnel can be expensive.
- Operational Challenges
Continuous verification can interrupt workflows and slow down processes. Employees need access to systems and assets to perform their duties. Obstacles and delays can reduce productivity and lead to other downstream impacts.
- Compatibility Issues
Not all systems and applications are compatible with Zero Trust principles. Legacy technology can be especially difficult to adapt since access permissions often rely on static rules. In contrast, Zero Trust uses dynamic, conditional rules that take various factors into account—who’s asking for access, where they are, and what device they’re using.
- Employee Resistance
Employees can find it hard to adapt to Zero Trust. Because access is related to job role, it can be frustrating for employees to be denied access when their duties have fuzzy boundaries or change frequently.
Overcoming the Weaknesses of Zero Trust
Implementing Zero Trust the right way takes time and expertise. Some of these drawbacks emerge from moving too fast, not taking the time to plan, or moving ahead with insufficient training. The following best practices can help establish a strong foundation and overcome the limitations of Zero Trust.
- Adopt a phased implementation: Don't overhaul everything to Zero Trust at once. Manage complexity by implementing in stages, especially if legacy systems are involved. Start with one component to ensure continuity, then add more capabilities over time.
- Don’t skip budgeting and ROI analysis: Weigh the long-term benefits of moving to Zero Trust against available funding. Even if your cost analysis shows insufficient ROI on shifting to Zero Trust, be aware of the risk of sticking with perimeter-based security. Consider a phased approach to start moving toward Zero Trust piece by piece.
- Use integration tools: Use tools or software that can bridge the gap between legacy systems and the zero trust model.
- Conduct regular employee training: Switching to a new security model can be disruptive and confusing for your staff. Implement a training program that clearly communicates to employees why you’ve put Zero Trust in place. To get employees up to speed, make training sessions relevant and brief and include examples and testing.
- Run internal PR campaigns: Even with excellent training, employees sometimes develop workarounds that present security risks. Build a culture of Zero Trust with reminders and messaging that reinforce how Zero Trust protects employees and the organization.
Make Zero Trust Work for Your Organization
Business operations today are fast becoming more digitized, cloud-based, and connected, not less. Zero Trust has its challenges and limitations, but reverting to a periphery model is not an option. Zero Trust is indispensable for addressing today’s cyber security threats. But to work well it needs to be carefully thought out, planned, and implemented with buy-in across the organization.
Are you confident your employees feel secure with your Zero Trust program? Download our research report, created in collaboration with IPSOS research, to discover what employees think about cyber security awareness and start building a cyber aware culture across your organization.