kras99 - stock.adobe.com
While most organizations today have at least a basic understanding of the importance of zero trust, they're struggling to implement it. The comprehension isn't matching the reality. For example, in a new survey from Fortinet, 59% of respondents said they can't authenticate users and devices on an ongoing basis.
This is a major problem, because not only is there an uptick in data breaches and other cyber incidents, these attacks are becoming more costly. IBM now estimates the global average cost of a breach is $4.24 million. So, it's not surprising that more organizations are looking to shift from implicit to zero trust. The trouble is that without the right framework, these efforts often fall short.
IT professionals -- especially those that oversee IoT deployments -- are interested in the zero-trust security model. Rather than assume anyone or anything that has network access can be trusted, a zero-trust mindset assumes the opposite. Nothing can be trusted anywhere, whether outside or inside the network perimeter.
The switch from implicit trust to zero trust comes in response to the rising incidents and costs of cybercrime. Many organizations have a vision of what they want or need in terms of zero trust and zero-trust network access (ZTNA), and most of them claim to have a zero-trust access (ZTA) or ZTNA strategy either in place or in active deployment.
Implementation problems abound
While most Fortinet survey respondents indicated they understand zero-trust concepts, more than 80% felt implementing a zero-trust strategy across an extended network wasn't going to be easy. Sixty percent reported it would be moderately or very difficult and another 21% said it would be extremely difficult.
Many admins indicated they cannot consistently authenticate users or devices and struggle to monitor use after authentication. Because authentication is considered fundamental to a zero-trust strategy, it seems that many organizations either misunderstand zero trust or have incomplete deployments.
Survey respondents almost unanimously agree that it is vital for zero-trust security workflows to be integrated with their infrastructure, work across cloud and on-premises infrastructure and be secure at the application layer. The biggest challenge organizations mention in building a zero-trust strategy is the lack of qualified vendors with a complete offering.
Key areas for an effective zero-trust strategy
Zero trust seems easier said than done -- but it doesn't have to be that way. Admins can focus on three key areas to make implementation much more successful. This entails narrowing down the people and devices that are on the network, as well as what becomes of managed devices once they exit the network.
Every organization has a range of users, so the answer to the question of who is on the network will vary. There are the regular employees who need to access the network, but there are others who need to access applications and data located either on premises or in the cloud. This group includes supply chain partners, contractors and possibly customers.
For a ZTA strategy to be effective, admins that implement it must determine who every user is and what role they play within the organization. The zero-trust model is a policy that only grants a user access to the resources that are necessary for their role or job.
Next, admins should address what is on the network. The huge uptick in the number of applications and devices organizations use today means an expanded network perimeter. This requires managing the explosion of devices, including servers, printers and IoT devices -- such as HVAC controllers or security badge readers -- and end-user phones and laptops.
While all devices must have access controls consistently enforced, IoT devices are particularly challenging because they don't have access controls on the device. They are typically low-power, small form factor devices without memory or CPU to support security processes. And they frequently don't interface with endpoint security tools. This means the network is the main security layer.
Because people use BYOD devices for business and personal needs, the final key is for admins to gain clarity about what happens when devices leave the network. Users may have logged out of the company network but then use their device for emails, social media and internet browsing on home and public networks. Once the devices rejoin the company network, users could inadvertently expose their devices and company resources to threats they may have picked up, including viruses and malware.
Endpoint security must be part of any ZTA offering. It should have the capability for off-network hygiene control, which covers policies for patching, web filtering and vulnerability scanning as well as flexible VPN connectivity.
Although most organizations are on board with the zero-trust model, IT teams can still struggle with implementation. Admins that track an organization's users, audit network-connected devices and use endpoint security software will find it much easier to manage zero-trust adoption.
Peter Newton is senior director of products and solutions, IoT and OT at Fortinet. He has more than 20 years of experience in the enterprise networking and security industry and serves as Fortinet's products and solutions lead for IoT and operational technology solutions, including ICS and SCADA.