Experts say don’t be fooled by vendor hype; remember about user experience and basic security hygiene. And these are just some of the mistakes that must be avoided when implementing zero-Trust in your company.
Interest in zero trust security has increased significantly over the past two years. This was particularly true among organizations looking for better ways to control access to corporate data in the cloud and on-premises for remote workers, contractors, and third parties.
However, several other factors are driving the trend. Among the main ones are:
- Increasingly sophisticated threats.
- Accelerated cloud adoption.
- A broad shift to remote and hybrid work environments because of the pandemic.
With all this, many organizations have found that traditional security models, where everything within the perimeter is implicitly trusted, only work in environments where perimeters exist.
And as corporate data and the people who access it are increasingly distributed and decentralized, new forms of protection must be considered.
An Executive Order from the Biden Administration in May 2021 that requires federal agencies to implement zero trust security has raised interest across industries.
In a survey of 362 security leaders that Forrester Research conducted last year on behalf of Illumio, two-thirds of respondents said their organizations planned to increase zero trust budgets in 2022.
However, more than half (52%) expected that their zero-trust program would benefit their organization significantly, and 50% said it would enable more secure cloud migrations.
Beware of Labels:
So, sensing a huge opportunity, cybersecurity vendors rushed to market a range of products labeled as zero-trust technologies.
An informal survey that analytics firm IT-Harvest conducted of websites belonging to some 2,800 vendors showed that 238 prominently had zero Trust.
“After the White House and CISA issued guidance to move to a zero-trust approach, everyone wants to align with the concept,” says Richard Stiennon, chief research analyst at IT-Harvest.”
However, the hype surrounding these technologies has caused considerable confusion. This, in turn, led to Forrester Research. Earlier this year, this analytics firm introduced the concept to clarify its definition of modern zero Trust.
“Fake news propagated by security vendors about Zero Trust has caused confusion for security professionals,” said Forrester. “Zero Trust is an information security model that denies access to applications and data by default. However, threat prevention is only achieved by granting access to networks and workloads using policies informed by continuous, contextual, risk-based scanning between users and their associated devices.”
Here are five mistakes organizations need to avoid when implementing a zero-trust security strategy:
Assuming Zero Trust security is all about ZTNA
Implementing zero trust network access (ZTNA) is critical to achieving zero Trust security. However, ZTNA alone is not zero Trust security.
In effect, ZTNA ensures that remote workers, contractors, business partners, and others have secure, adaptive, policy-based access to corporate applications and data.
In other words, with ZTNA, users receive the least privileged access based on their identity, role, and real-time information about device security status, location, and various other risk factors.
Therefore, each request for access to a corporate application, data, or service is checked against these risk criteria. Admission is only granted to the specific resource requested and not to the underlying network.
Over the last couple of years, many organizations have implemented or started to implement ZTNA as a remote access replacement for VPNs.
After all, the sudden shift to a more distributed work environment due to the pandemic has strained VPN infrastructures in many organizations and forced them to look for more scalable alternatives.
“A key use case driving ZTNA is VPN augmentation or replacement, driven by an unprecedented scale of remote work,” says Daniel Kennedy, an analyst at 451 Research, part of S&P Global Market Intelligence.
What is a VPN?
Historically, VPNs provided access to a corporate network rather than specific resources, which today can be hosted anywhere.
However, backhauling traffic through a VPN and then back to resources hosted outside a corporate network is unnecessary, says Kennedy. “ZTNA provides access at a more granular level and revalidates that access rather than just providing an authentication gate at the beginning of access.”
However, ZTNA is only part of the zero-trust story. After all, an organization can’t credibly say it has implemented zero Trust without implementing either – or preferably both – privileged identity management and micro-segmentation, says David Holmes, an analyst at Forrester Research.
Forrester defines micro-segmentation as an approach to reducing the impact of a data breach by isolating sensitive data and systems, placing them on protected network segments, and limiting user access to those protected segments with solid identity management and governance.
The goal is to minimize the attack surface and limit the consequences of a breach.
So, the no-fail key to zero Trust is ensuring that users, including those with privileged access to administrative functions, no longer have access to the applications and data they need, says Forrester.
Confusing zero Trust security with a product
Many tools and products can help organizations implement a zero-trust strategy. However, please do not confuse them with the process itself.
“A zero trust security philosophy is basically no longer extending implicit trust to applications, devices, or users based on their source,” says Kennedy.
Instead, it’s about implementing a standard deny/least privilege approach to access with an ongoing risk assessment that can change based on factors like user or entity behavior, for example, he says.
Therefore, when considering technologies to implement the strategy, ignore the labels. Look for products with features that come close to the zero trust security core principles as initially defined.
“Terms evolve, of course, like this,” says Kennedy. “But they come with connotations. Therefore, associations with product approaches must be rooted in some real connection to the outlined philosophy.”
That means having technologies that support core zero trust security principles like micro-segmentation, software-defined perimeter, and device integrity.
“The biggest disconnect I see that is causing unmet expectations is confusing a zero-trust strategy or philosophy with the implementation of a specific product,” says Kennedy.
Assuming you can get zero Trust security without basic security hygiene
Deploying the right tools alone isn’t enough if you ignore the fundamentals, says John Pescatore, director of emerging security trends at the SANS Institute.
“On the operations side, one of the big mistakes is thinking you can get zero trust without first achieving basic security hygiene,” he says. “If you can’t trust endpoints to be securely configured and kept patched; if you cannot trust identities because reusable passwords are in use; and if you can’t trust the software because it hasn’t been tested, it’s impossible to get zero trust security benefits,” says Pescatore.
Tools can help mitigate mistakes in the technological aspect of zero trust security. But even with them, there’s a lot of brain work that can’t be avoided, says Forrester’s Holmes.
“For example, an organization still needs a compelling approach to data classification, and someone needs to audit employees and third-party privileges,” says Holmes. “Both are non-trivial and generally manual tasks.”
Stiennon of IT-Harvest says a promising approach for organizations is first to identify and review areas within the IT infrastructure where protection is based on some form of Trust.
For example, an employment contract could be when an organization trusts users to comply with its policies.
Or it could be a contract or service level agreement with a cloud provider about how they would (or wouldn’t) use the organization’s data.
“Once you’ve identified those gaps, start filling them with technical controls,” he says.
Having poorly defined user access policies
A zero trust security approach can help organizations apply adaptive, policy-based access control to corporate resources considering various real-time risk factors.
It is the case of device security, location, and type of resource requested. After all, when implemented correctly, the approach ensures that users only have access to the specific resource they requested and in a less privileged way.
However, to do this effectively, security and IT administrators need to clearly understand who needs access to what says Patrick Ticket, vice president of security and architecture at Keeper Security.
This means enumerating all possible user roles and assigning them based on job requirements and functions.
“Zero trust security is really a simple concept: users have access to the resources they need to perform their job functions, and they don’t have access to resources they don’t need,” says Ticket.
For example, it points to a shared network drive that everyone in a company of 10 employees can access.
The unit contains sales, HR, accounting, and customer information that everyone in the company can access, regardless of role.
“There is a great deal of risk from unauthorized access, data loss, data theft, and unauthorized disclosure,” he says. “Applying correctly, even without errors, zero trust in this situation would restrict access but not affect productivity, dramatically reducing the risk to the enterprise.”
The ticket says it’s best to keep access roles well-defined initially and then assign or unassign new access roles to individual users as needed.
Neglecting the User Experience
Zero trust security models greatly impact end users, so pay attention to the user experience. “Authentication and access affect nearly every employee, so mistakes are costly for CISOs,” says Kennedy of the 451 Group.
Employee productivity can suffer when zero trust security initiatives are rushed without adequately preparing users for the change. A botched initiative or one that negatively affects users can also affect the credibility of the entire effort.
“The steps to success are well spent,” says Kennedy. “Establish a desired end state for your zero trust security strategy and methodically implement the different parts with vendor partners,” he says. Plan, execute and test carefully to ensure that any extra steps required of users deliver commensurate security benefits, he says.
Even avoiding the mistake of zero Trust, the ideal is to have specialized IT support with experience in security.