Zero-trust is the logical successor to the legacy perimeter security model, but there are many common pitfalls to consider.
Whether companies know it or not, we’re all on a journey toward zero-trust security. This concept, which can be summarized as “never trust; always verify,” has been around for over a decade as a security focus on least privilege. However, the pandemic brought it to the forefront, as corporate offices emptied and millions of workers started working from home. So, in a relatively short period, tens of thousands of companies inadvertently accelerated their zero-trust journey, often without a well-thought-out plan.
Whether you’re just starting a new security strategy journey, or you’ve already made several investments, here are a few tips to help you avoid these common zero-trust security pitfalls along the way:
- Focusing only on legacy concepts. This first mistake occurs when companies simply try to apply a new name to an old way of protecting users and data—focusing on perimeters and zones. Known as the “castle and moat approach,” this outdated method assumes that everything outside the “castle” is a potential threat until proven otherwise (true), but everything inside can be trusted (false). Some people also refer to this as having a hard perimeter or shell with a soft inside. Observing recent cybersecurity breaches reveals that threat actors often spend weeks or months on their victims’ networks (i.e., inside) observing behaviors and collecting information before launching a malware or ransomware attack. A zero-trust strategy treats those inside the perimeter the same as those outside, which helps minimize the impact caused by attacks that breach the perimeter unnoticed and other inside threats.
- Picking one vendor. This mistake stems from the belief that zero trust is a product. If you listen to some security vendors’ marketing messages, it’s easy to see how this can happen. Not only do some vendors lead people to believe they have the market cornered on security, but also that they have a “zero-trust product.” The truth is most companies can’t create a zero-trust environment with just one product or just one vendor. Zero trust requires a holistic approach to security, entailing multiple technologies (e.g., IAM, SASE), architecture and policy. It’s also critical to note that the policy should precede the technology selection, not vice versa. Always keep the pillars of “people, process and technology” front of mind.
- Trying to do too much. Unlike the previous pitfall, which results from using only one vendor, this is the exact opposite—trying to “boil the ocean” with too many products vendors or strategies. Companies can stumble into this pitfall by taking recommendations from too many vendors or others without an overarching coordinator or failing to use an industry framework, such as NIST or CISA, to guide their process. Before adopting a program, however, it’s vital to perform a security assessment to know where you’re starting from and where critical data flows and where it’s vulnerable.
- Buying “shelfware.” As previously mentioned, a zero-trust program is the orchestration of multiple security technologies, often from various vendors. The challenge is that while there is no single product that does everything, many technology solutions do more than just one Therefore, it’s important to assemble the right solution while minimizing feature overlap between components. This problem is exacerbated when companies make buying decisions in silos rather than adopting a centralized, holistic strategy. A tools rationalization project is recommended as part of the zero-trust journey.
- Neglecting the user experience. One of the critical requirements to implement a successful zero-trust network architecture is ensuring that it’s user-friendly. In other words, your strategy shouldn’t burden users with complex processes or require them to jump through several hoops to log in to the network. And it can’t slow down their performance. In addition, the level of the solution should be right-sized for the particular organization. If your organization’s security measures aren’t right-sized and user experience isn’t considered, users will always find workarounds that will expose the organization to greater risk.
As changes in technology continue to evolve, it’s no surprise that the notion of trust is being examined when it comes to accessing data. The benefits of a zero-trust program can securely advance an organization’s business objectives. A zero-trust architecture assumes a breach is inevitable but can prevent it from exposing data to loss. Also, with a zero-trust architecture, organizations can customize their security for their specific data and assets.
Zero trust is not a one-size-fits-all method. It’s an individualized program that looks first at an organization’s business objectives to understand their goals, identify critical data and determine how to safeguard that data.