Zero trust architecture is an emerging technology in cybersecurity that offers an alternative to the traditional castle-and-moat approach to security. Instead of focusing only on your perimeter to defend against attacks from the outside, zero trust assumes that threats are ubiquitous and pervasive. Therefore, each user, device, and application within your network must verify that it isn’t a threat before it can proceed.
As Sam Ingalls writes in his How to Implement Zero Trust article, “a zero trust strategy centers around refined controls to improve and rightfully restrict access to your network and applications. By limiting movement, you mitigate the risk of malicious actors accessing key segments.” Zero trust is a critical tool in the security defense arsenal, especially as more companies shift to a fully remote or hybrid work environment. However, zero trust also comes with its own set of challenges that are important to understand to ensure effective implementation.
- Moving to zero trust can create cybersecurity gaps
- Zero trust architecture requires perpetual maintenance
- Insider threats are still a risk
- Zero trust models can inhibit productivity
- Overcoming zero trust challenges
Moving to zero trust can create cybersecurity gaps
One of the fastest lessons to learn with zero trust is that implementation is often neither quick nor easy. It can be a very drawn-out process that requires your SecOps team to re-envision your business’s security model from top to bottom.
This also means many IT and business professionals must adjust their way of thinking when it comes to cybersecurity. Instead of trusting that your security infrastructure is foolproof like they’ve been conditioned to believe, they must assume the opposite is true and that your systems are already in jeopardy.
It’s usually best to move from legacy security systems to a zero trust framework gradually over time rather than abruptly implementing multiple changes at once. Prioritize the systems, users, and workflows that engage with the most sensitive data so that you can assign them the strictest access controls. A longer timeline will help the transition go more smoothly and give employees more time to adjust to the new security environment and related processes.
Zero trust architecture requires perpetual maintenance
Many security professionals also underestimate the time and effort required to maintain a zero trust environment once it’s implemented. Unlike some security systems, zero trust is anything but a passive approach to defending against cyber threats.
Most businesses are constantly growing and evolving, and it’s essential that the intricate microsegmentation permission structure keep pace with the rate of change. Relevant changes may include new hardware or software deployments, changes in an employee’s responsibilities, new customer or staff accounts, and patches or updates to existing systems.
User permissions must be precisely and appropriately defined at all times for a zero trust model to be effective. Otherwise, unauthorized users will be able to access data and resources they shouldn’t. In a best-case scenario, this may mean an employee has more privileges than they need, but it could also mean bad actors can reach deep into your business systems and hold them hostage—or worse. Monitoring tools can help spot irregularities, but perpetual, proactive maintenance is required to prevent a worst-case scenario.
Insider threats are still a risk
Zero trust and microsegmentation are based on the premise of least privilege, which attempts to limit each user’s access to the bare minimum they need to do their job. However, this doesn’t address a glaring issue staring everyone in the face: social engineering. Social engineering attacks like phishing, scareware, and deep fakes are frequent tactics hackers use to gain access to your business systems from the inside.
These kinds of insider threats cost businesses an average of $2.79 million annually, according to the 2020 Cost of Insider Threats Global Report. This includes direct costs like stolen funds, lost or damaged data, and recovery efforts in the aftermath of an attack. It also includes indirect losses that can impact a business, such as reduced productivity, damaged reputation, and long-term lost revenue.
Microsegmentation alone doesn’t address the impersonation and deception strategies hackers use with the end goal of stealing employees’ credentials or damaging data. A formidable zero trust approach requires additional layers of security tools like identity and access management (IAM) and multi-factor authentication (MFA) to verify each user’s identity and minimize the risk of insider threats. A good zero trust tool should be able to detect when patterns near the critical zone have changed, but tools like UEBA and DLP can help—and extend those capabilities throughout the organization, not just around the microsegmented zone.
Zero trust models can inhibit productivity
Because zero trust adds extra security layers to most workflows, it can sometimes become a productivity constraint. Security strategies are only effective if they support and protect the work of your business—they otherwise become barriers that employees will try to circumvent. It is possible to be productive while also maintaining a strong cybersecurity posture, and finding that balance is a core tenet of the zero trust approach. Without both sides of the coin, your business won’t be able to flourish fully.
The easiest way to avoid productivity pitfalls is to embrace a hybrid security environment that consists of zero trust and legacy systems until you fully transition to zero trust. As your security teams shift individual workloads, they can evaluate each segment to ensure it won’t cause a major disruption to individual employees’ productivity or overall business performance. If something doesn’t go according to plan, the old model can be temporarily restored until your team is able to iron out the unexpected kinks.
Keep in mind that communication and agility are critical to zero trust implementation. Adopting these new security practices and tools will impact everyone, so your teams should be aligned with what to expect at every step in the process. Not only will this minimize the surprises you may encounter, but it will also help you address potential vulnerabilities quickly and effectively.
Overcoming zero trust challenges
Zero trust isn’t an infallible strategy, but it’s certainly becoming the way of the future for cybersecurity. Thankfully, there are many things you can do to overcome any potential challenges.
First, look at your cybersecurity infrastructure holistically and from multiple angles to make sure any gaps are covered during the transition to zero trust. During this time, it’s also important to make sure all stakeholders understand the value of moving to a zero trust model.
When you’re ready to begin the microsegmentation process, use a phased approach to minimize blows to productivity. Adopt additional layers of security in addition to microsegmentation to prevent successful social engineering attacks, and don’t neglect employee training to make sure your staff is prepared with the right cybersecurity knowledge.
Then, once your zero trust model is fully implemented, commit to routine maintenance and frequent internal audits. Doing so will help you maintain confidence that only your employees, partners, and customers have access to exactly what they need—nothing more and nothing less. That’s the ultimate goal of zero trust security, after all.
Read next: Best Zero Trust Security Solutions for 2021