Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.
10 Ways to Avoid Zero-Trust Failure
Here are the prerequisites to have in order before getting past the zero-trust gate.
September 20, 2021
Dark ReadingExpert Collage
As cybercriminals run roughshod over enterprise environments using tried-and-true methods of credential theft, privilege escalation, and lateral movement across networks to find the high-value targets, zero-trust security principles look better by the day. Zero trust assumes no user is trusted and every point of access requires authorization. Zero trust takes the principle of least privilege to the next level by continuously validating users, devices, and services and only giving minimal access to what they need at any given time based on the risk profile of whatever it is they are touching.
It sounds simple, but it is exceedingly complex to pull off successfully. The good news is that there is a growing body of security professionals who have learned hard lessons on the do's and don’ts of zero-trust implementations. Here’s what they say newbies need to know before they even get out of the gate in order to avoid failure or delays in their transition to zero trust.
Without enthusiastic buy-in from executive leaders and other important stakeholders, zero-trust initiatives tend to fizzle out before they ever gain any kind of meaningful momentum. Just like any major change management initiative, some of the most important prerequisites for zero trust are completely nontechnical, says Matt Klein, cybersecurity executive adviser at cybersecurity consultancy Coalfire.
“It is critical to obtain buy-in from executive leadership, to understand business goals, to tie zero-trust milestones to business outcomes and to communicate, communicate, communicate,” Klein says. “It is also important to understand that the zero-trust journey in most cases will take years, not days or months, and to set expectations with stakeholders accordingly.”
Part of that communication and engagement process will be in helping both technical and business leaders undergo a mindset shift and discard obsolete thinking about security. This is a crucial first step in the zero-trust journey, says Jessica Onorati, senior security engineer at Automox.
“The place to start is by resetting the organization’s mindset and viewing corporate infrastructure from a different perspective. Banish terms like ‘trusted network. Assume every endpoint and user you have could be a potential breach point,” Onorati says. "I recommend starting in an environment that has used methodologies like 'trusted network' access and 'private networks' and completing a threat map assessment of what could be in jeopardy if an
internal asset became breached."
Anyone who has successfully started a zero-trust initiative will tell you that the asset discovery process is a must before you can even begin planning strategy or architecture. Without a thorough inventory of assets, an organization will struggle to understand what needs to be authenticated, authorized, and evaluated for risk, says Michael Rogers, director of technical advisory services at Moxfive.
“A complete inventory and assessment of data and assets is key to any zero-trust initiative. After all, an organization must be aware of what devices and information exist on their network to protect it,” Rogers says. “When taking on these tasks, you are assessing the attack surface, so determining where critical data and critical assets live while designating overall risk enables you to prioritize where you want to implement the zero-trust model first.”
In complex enterprises, data classification is an equally important next step after asset discovery. According to Keatron Evans, principal security researcher at Infosec Institute and a consultant for KM Cyber Security, improper or insufficient classification of data inevitably leads to improper segmentation and risk prioritization of data, which often causes zero-trust initiatives to fail.
“You have to do asset discovery before you can adequately do data classification and valuation. Then you have to do both those things before you can even start to put together the proper information to perform a risk assessment,” he says. “Thanks to the maturity of the practice of risk management, some of these required operations are already in place and are a part of many enterprises' overall security and risk management programs.”
Identity governance and modernized access management are the absolute bedrock for implementing zero-trust principles in any kind of meaningful fashion. Organizations need bulletproof mechanisms for verifying accounts; authorizing user access; authenticating users, devices, and services; and sanely managing all the identity stores, tokens, and platforms that make this happen. Identity is a must-have to safeguard information assets through zero trust, says John Petrie, deputy to the global CISO at NTT Group.
“Every zero-trust framework must include ‘identity’ as a cornerstone, and it is the most important area that you need to control for zero trust to work,” Petrie says. “Review the security technologies already being used and where appropriate harmonize the same technologies into single solutions.”
Inventorying assets and classifying data lays the foundation for a more ongoing ingredient required for zero-trust success. In order to architect a zero-trust ecosystem, organizations need visibility into how all the puzzle pieces are actually being used and interacted with, says Christopher Kuhl, CISO and CTO at Dayton Children’s Hospital.
“Visibility of what is happening on your network and with your assets is crucial to building out zero-trust architecture,” Kuhl says. “Security practitioners need the ability to see the flow of pre- and post-zero-trust traffic to make sure the right users are accessing the right resources.”
Zero trust takes the long-lived concept of network segmentation to another level by creating much smaller boundaries around the network, sometimes down to the asset or even workload levels. Dubbed microsegmentation, this tighter definition of risk boundaries allows the organization to establish more targeted policies and access conditions based on what’s in play at any given time. Not only does this require the aforementioned prerequisites like asset inventories, classification, and ongoing visibility, it also means the organization should already have the basics of traditional segmentation down pat, says Chris Yates, principal security architect for CriticalStart.
“Many organizations have not even done the hard work of segmentation within their internal networks, which is a prerequisite to zero trust. Without a proper segmentation strategy, zero trust is very difficult to implement,” Yates says. “You don't start a zero-trust journey by buying a zero-trust product or portfolio of technology. It starts with rethinking — or validating — current architecture and design to determine if further segmentation and controls are necessary.”
Executive buy-in may be what gets a security organization the resources and cultural mandate it needs to carry out a zero-trust transformation over time, but without winning over the hearts and minds of the users, success may still be in peril. This is why zero-trust leaders need to account for user experience (UX) right out of the gate, and they should also be ready to explain how and why temporary early disruptions will improve their workflows, says Steve Williams, enterprise CISO at NTT Data Services.
“[Organizations need to] ensure people feel included and educated rather than becoming frustrated and going rogue,” Williams says. “Zero trust has not only increased our security, but it has also improved user experience. Who doesn't want the end of passwords? It has also allowed for secure remote work, enabling our workforce to be adequately supported.”
Zero-trust implementations take time — a lot of time. These rollouts are measured in years rather than months, but fortunately reaping the benefits of zero trust doesn’t have to be an all-or-nothing affair, says Glen Pendley, deputy CTO at Tenable.
“I view zero trust similar to someone trying to get stronger in the gym or lose weight. It takes time,” Pendley says. “Set short-term, achievable goals and continue to work toward the big picture over time. Whatever you do, don't boil the ocean.”
With so many prerequisites to even get started building out a zero-trust architecture, it’s clear that organizations must keep a lot of plates spinning to do this right. Not only does it require buy-in and a long runway of resources from management, it also takes sweeping vision from security and technology leadership, who must come up with an evolving blueprint to keep things on track and in line with the business. Strategic planning is fundamental to zero-rust success, says Torsten Staab, CTO for Cyber Protection Solutions at Raytheon Intelligence & Space.
“Implementing zero trust across an entire enterprise and at multiple levels requires a significant amount of planning, resources, and coordination,” Staab says. “For large organizations with complex, distributed IT infrastructures, a comprehensive rollout of zero-trust security can easily take five to 10 years. Organizations typically fail with their zero-trust adoption efforts due to the lack of a well-defined zero-trust strategy, management support, or the lack of a realistic, phased implementation plan.”
With so many prerequisites to even get started building out a zero-trust architecture, it’s clear that organizations must keep a lot of plates spinning to do this right. Not only does it require buy-in and a long runway of resources from management, it also takes sweeping vision from security and technology leadership, who must come up with an evolving blueprint to keep things on track and in line with the business. Strategic planning is fundamental to zero-rust success, says Torsten Staab, CTO for Cyber Protection Solutions at Raytheon Intelligence & Space.
“Implementing zero trust across an entire enterprise and at multiple levels requires a significant amount of planning, resources, and coordination,” Staab says. “For large organizations with complex, distributed IT infrastructures, a comprehensive rollout of zero-trust security can easily take five to 10 years. Organizations typically fail with their zero-trust adoption efforts due to the lack of a well-defined zero-trust strategy, management support, or the lack of a realistic, phased implementation plan.”
As cybercriminals run roughshod over enterprise environments using tried-and-true methods of credential theft, privilege escalation, and lateral movement across networks to find the high-value targets, zero-trust security principles look better by the day. Zero trust assumes no user is trusted and every point of access requires authorization. Zero trust takes the principle of least privilege to the next level by continuously validating users, devices, and services and only giving minimal access to what they need at any given time based on the risk profile of whatever it is they are touching.
It sounds simple, but it is exceedingly complex to pull off successfully. The good news is that there is a growing body of security professionals who have learned hard lessons on the do's and don’ts of zero-trust implementations. Here’s what they say newbies need to know before they even get out of the gate in order to avoid failure or delays in their transition to zero trust.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024