Why enterprises are getting zero trust wrong

With remote work exploding amid the COVID-19 pandemic, zero trust has become a security process that enterprises depend on to protect hybrid working environments. 

Yet while so many organizations are looking to embrace zero-trust networking, many are getting it wrong, implementing limited access controls or turning to “zero trust in a box” solutions.

Research shows that, according to one report, 84% of enterprises are implementing a zero-trust strategy — but 59% say they don’t have the ability to authenticate users and devices on an ongoing basis and are struggling to monitor users post-authentication. 

In addition, Microsoft notes that while (according to another report) 76% of organizations have started implementing a zero-trust strategy, and 35% claim to have it fully implemented, those claiming to have achieved full implementation admit they haven’t finished implementing zero trust steadily across all security risk areas and components.

Although these may seem small oversights, they can increase an organization’s exposure to risk significantly. A recent IBM report found that 80% of critical infrastructure organizations don’t adopt zero-trust strategies, which increased their average data breach costs by $1.17 million compared to those enterprises that do. 

False zero-trust promises and vendor lingo 

One of the most significant reasons that enterprises are getting zero trust wrong is that many software vendors use marketing that misleads them, not just about what zero trust is, but how to apply it, and whether certain products can implement zero trust. 

All too often, these marketing practices trick CISOs and security leaders into thinking zero trust can be purchased. 

 “There’s a couple of mistakes a lot of people make in zero trust. First, and probably most common too, is approaching zero trust as something you can buy, a situation abetted by many vendors using the term in their marketing whether it applies to the product or not,” said Charlie Winckless, a senior analyst at Gartner.

That being said, Winckless does note that there are legitimate solutions you can buy to lay the foundation for zero-trust architecture, such as zero-trust network access (ZTNA) and microsegmentation products. 

At the same time, Winckless warns enterprises about falling into the trap of trying to apply zero trust at too granular a level at the behest of software vendors. 

“Second (and again, I think a lot of the way vendors are latching onto the term) is trying to push too much security into zero trust. Fundamentally, Gartner thinks of zero trust as replacing implicit trust with adaptive explicit trust. If you push too much into it, then it becomes impossible to achieve well,” Winckless said. 

Getting away from a quick-fix mentality 

The reality of zero-trust adoption is that it’s a journey and not a destination. There’s no quick fix for implementing zero trust because it’s a security methodology designed to be continuously applied throughout the environment to control user access. 

“Organizations that get zero trust wrong are the ones looking for a quick fix or silver bullet. They also tend to look to a set of products to get them zero trust. They fail to understand or don’t want to acknowledge that zero trust is a strategy, it is an information security model,” said Baber Amin, COO of Veridium. 

Amin added, “Products can and do help achieve zero trust, but they need to be applied correctly. It’s just like purchasing the most expensive lock, which does not do anything if the door itself is not properly reinforced.”

Amin also noted some of the most common mistakes organizations make besides confusing zero-trust strategy with product offerings.

These mistakes include:

• failure to define proper access control policies to enforce the principle of least privileged (PoLP)
• failure to monitor access creep
• failure to implement multifactor authentication
• failure to classify and segment data
• lack of transparency over “shadow IT”
• overlooking the user’s experience

To build a successful zero-trust strategy, security teams must be able to do more than continually authenticate users and devices. They must also monitor those users and devices post-authentication; microsegment their networks; and implement controls across on-premise and cloud environments to secure access to data at the application level.  

Over-reliance on legacy infrastructure 

Making the zero-trust journey is often easier said than done, since many enterprises are operating in environments with outdated and inflexible legacy infrastructure. This makes it more difficult to manage user access at speed. 

Over-reliance on legacy infrastructure is a well-recognized barrier to zero-trust adoption. For instance, a survey of 300 federal IT and program managers found that 58% said the biggest challenge to implementing zero trust is rebuilding or replacing existing legacy infrastructure.

As a result, adopting zero trust is as much about undergoing digital transformation and replacing legacy infrastructure as it is about implementing new security controls and applying the principle of least privilege throughout the environment. 

“Traditionally organizations have always been behind the ball when it comes to adopting a ‘security first’ environment, and have purposely stuck with legacy models in order to cut costs on CIAM/IAM infrastructure [and] ensure users are not ‘burdened’ with extra authentication when accessing sites, files, etc., which may cause bad [user] experience or slow down overall productivity,” said Charles Medina, security engineer at Token. 

Organizations that need to deploy new tools to enable their zero-trust journeys also need to make sure that they’re training employees how to use the new solutions effectively.   

“The worst is when an organization deploys great tools that help with pushing a zero-trust model, but either aren’t trained in a proper deployment due to cost or simply don’t take the environment seriously,” Medina said. 

Lack of executive alignment 

Finally, achieving the buy-in necessary to undergo effective digital transformation rests on the ability of CISOs and security leaders to present zero-trust adoption as not just a security issue, but a business issue. 

CISOs need buy-in from other key stakeholders if they are to replace underlying legacy infrastructure and applications. After all, without significant investment in digital transformation, security teams won’t have the tools to implement basic access control and authentication models to manage and monitor user access. 

“Deployment is a step-by-step process which starts with developing and socializing a strategy with the business and establishing a governance framework which engages stakeholders in the change initiative — not just the CIO and CISO teams, but those business units who may be impacted by the implementation,” said Akhilesh Tuteja, global cybersecurity practice leader at KPMG. 

It’s critical that CISOs highlight the potential cost savings of going zero trust. 

They might, for instance, highlight Forrester research that illustrates how organizations that adopt Microsoft’s zero-trust solutions can generate a 92% return on investment (ROI) and a 50% lower chance of a data breach. This could help make the business case for investing in zero-trust controls. 

However, even with the support of other key stakeholders, zero trust isn’t a one-time effort, but an ongoing process. 

“At every stage in the process, there is potential for missteps and many surprises. Few businesses understand their IT estate, and quite how the various systems and applications interact. As you implement segregation and new access controls, things will break. Unexpected dependencies will be discovered, with surprising data flows and long-forgotten applications,” Tuteja said. 

Continuous improvement 

No matter how far along an enterprise is in its zero-trust journey, CISOs and security leaders can reduce the chance of making mistakes by viewing zero trust as a continual process, and committing to making incremental improvements to this process.

Taking simple steps like making an inventory of assets that need to be protected, then deploying identity and access management (IAM) and privileged access management (PAM), can help to build zero trust from the ground up and develop a cultural mindset of continuous improvement.