Cybersecurity Snapshots #28 - Implementing Zero Trust Models is Easier Said Than Done

Cybersecurity Snapshots #28 -

Implementing Zero Trust Models is Easier Said Than Done

Many organizations still have a traditional or perimeter network security approach that focuses on keeping attackers out of the network but is vulnerable to users and devices inside the network. "Verify, then trust" security trusts users inside the network by default. Individuals with the correct user credentials could be admitted to the network's complete array of sites, apps, or devices. Security researchers are urging organizations to start creating zero trust architectures. Zero trust requires strict identity verification for every user and device when attempting to access resources on a network, even if the user or device is already within the network perimeter. Zero trust also provides the ability to limit a user's access once inside the network, preventing an attacker who has accessed a network from enjoying lateral freedom throughout the network's applications. Implementing a zero trust model is easier said than done as it requires a rethinking of an organization's entire security posture and environment.

Security researchers at One Identity conducted a new survey of IT security professionals to get their opinions on the adoptions and experiences with zero trust security. Among the respondents, 75% cited zero trust as critically or very important to their organization's security posture. Some 24% said it was somewhat important, while only 1% dismissed it as unimportant. For most organizations surveyed, zero trust is still a work in progress. Only 14% have already adopted a zero trust model, 39% said that they've started their implementation but aren't finished, 22% plan to set up a full zero trust model within the next 12 months, 14% said that they plan to set up a full zero trust model but would take longer than 12 months, and 8% reported no plans to set up zero trust. The two most common barriers to implementing zero trust security models for participants were a lack of clarity around how zero trust should be implemented and the requirement of zero trust for ongoing identity and access management. Other common barriers to implementing zero trust security models for participants were that zero trust security models impact employee productivity and that security staffers are too busy and have other priorities. Additional obstacles to kicking off a zero trust initiative included a lack of resources or budget, the challenges in predicting the benefits and building a business use case, the tendency of zero trust to create a siloed approach, and the lack of access to zero trust technology. Only 6 % of participants said they had no barriers when implementing zero trust security models.

The security researchers at One Identity stated that there is no one correct approach to kicking off a zero trust initiative. The respondents of their survey pointed to a variety of methods on how to start implementing a zero trust security model. Almost half of the participants (49%) suggested that organizations begin by continuously verifying who has access to what and when. Some 48% of participants advised organizations to better monitor user access and privileges, 41% recommended starting by setting up new access management technologies, and 35% suggested mapping the traffic of sensitive data. Larry Chinski, VP of global IAM strategy at One Identity, stated that overall, the key to successful implementation and deployment of zero trust is to focus on the overall concept of never trust, always verify. Larry also stated that looking at zero trust holistically is a key to helping organizations most effectively implement a zero trust architecture. Organizations can reference third-party resources to help deploy zero trust models. The National Institute of Standards and Technology (NIST) developed a starting guide for organizations on how to begin planning for a zero trust architecture.

The White House's recent requirement for federal agencies to achieve a zero trust architecture is a significant first step, but zero trust can't stop there. Security researchers believe that there are critical steps the federal government needs to take before zero trust has any hope of moving beyond the federal level on a larger scale. Firstly, the federal government needs to define zero trust and describe why it matters. Organizations need to know what zero trust is and why they should care. This is especially true for those not in an information technology role. Secondly, the federal government needs to clarify the zero trust implementation process. The researchers stated that without clear guidance, how are organizations supposed to know which guidelines and best practices work best for them and where to begin? Some researchers have already questioned whether the federal government can achieve the zero trust goal by the end of fiscal year 2024. If it is a challenge at the federal level, there will be an even heavier burden on non-government organizations, where cybersecurity preparedness varies significantly. Researchers are urging companies to work towards implementing zero trust methods sooner rather than later. Researchers are also urging the federal government to do a better job at helping organizations implement zero trust architectures in the future.