The zero-trust security model has been billed as an ultra-safe defense against emerging, unrecognized and well-known threats. Unlike perimeter security, it doesn't assume people inside an organization are automatically safe. Instead, it requires every user and device -- inside and out -- to be authorized before any access is granted. Users and devices are then continuously reverified to maintain security.
This is an attractive proposition in a world where the number of adversaries and insider threats, both negligent and malicious, are growing. But, while the zero-trust model offers significant advantages, it's not perfect. Plus, abandoning one cybersecurity strategy for another is neither quick nor easy. This is especially true for large organizations or those with legacy security systems in place. Moving to a zero-trust model may sound enticing -- or even be obligatory -- but leaders must also consider the disruption that comes with such a transition.
Making zero-trust cybersecurity as effective as possible starts by understanding its challenges.
1. A piecemeal approach to zero-trust cybersecurity can create gaps
Most companies customize their zero-trust strategies using a piecemeal approach, but gaps or cracks may develop that make zero trust less ironclad than advertised. At the same time, unwinding legacy hardware and software can create unexpected security lapses.
Many zero-trust deployments require major architectural, hardware and software changes to be successful.
2. All-in-one zero-trust products don't exist
While buying products piecemeal can leave gaps, no one-size-fits-all, out-of-the-box zero-trust products exist. In fact, zero trust is not a single product, nor is it a single approach or technique. It is a philosophy and framework of policies, technologies and people that need to be applied to the seven pillars of zero trust: workforce security, device security, workload security, network security, data security, visibility and analytics, and automation and orchestration.
3. Legacy systems may not adapt to zero trust
Retrofitting legacy systems and applications -- which were built with perimeters in mind -- with zero trust isn't always possible. These legacy pieces may either need to remain in place, which can create security gaps or require different security deployments to protect them, or need to be ripped and replaced, which can be costly and time-consuming.
4. Zero trust requires ongoing administration, maintenance
Another frequently overlooked obstacle to switching to a zero-trust cybersecurity model is the need for ongoing administration. In some scenarios, additional staff or the use of managed services is required.
Zero-trust models rely on a vast network of strictly defined permissions, but companies are always evolving. People are hired, move into new roles, change locations, resign and laid off all the time. Access controls must be updated each time to ensure the correct people have access to specific information. Keeping permissions accurate and up to date requires ongoing input, which can be overwhelmingly difficult to keep up with.
If permissions and controls aren't updated immediately upon an employee's role change or departure, unauthorized parties could gain access to sensitive data. Imagine, for example, an employee who was fired but whose permissions weren't removed right away. That person could still access data and potentially go rogue, underscoring the role of speed in a zero-trust strategy. If companies cannot act quickly in these situations, data is at risk.
5. Zero trust can hinder productivity
Introducing a zero-trust approach could potentially affect productivity. The core challenge of zero trust is locking down access without bringing workflows to a grinding halt. People require access to sensitive data to work, communicate and collaborate. If individuals change roles and find themselves locked out of files or applications for a week, productivity can plummet. In a worst-case scenario, lost productivity becomes a bigger problem than cybersecurity itself.
Zero trust requires communication across a wide array of data, devices, systems and people. If any of these is not in line with the others, productivity and collaboration can suffer.
6. Zero trust isn't without security risks
While zero trust's aim is to improve security, it isn't immune to risks. Gartner outlined the following security risks:
- Trust brokers -- services that connect applications and users -- are potential points of failure and can be targets for attack.
- Local physical devices can be attacked and have data exfiltrated from them.
- User credentials can still be compromised.
- Zero-trust admin account credentials are attractive targets.
How to overcome zero-trust challenges
Zero trust has its flaws, but it's the preferred posture for security-conscious companies. To mitigate the inherent risks, be sure to run trials, start small, scale accordingly and keep the human element -- both staff and users -- in mind.
Run zero-trust trials
Before putting zero-trust implementations into production, put them through user trials and security evaluations. This gives users experience employing these types of systems, admins experience managing these types of systems and security teams experience responding to incidents and security issues. Get feedback from all users to improve future implementations.
When zero trust goes into live environments, start small. And don't abandon legacy systems altogether. First, identify the most sensitive data and critical workflows, and subject them to stricter access controls, such as multifactor authentication, privileged access and session management. Leave the remaining data to standard perimeter controls for the time being.
Once successful, scale the deployment. Gradually introducing zero-trust security is beneficial because it doesn't disrupt the continuity of a cybersecurity strategy. Companies begin locking down crucial assets, but because they're not entirely abandoning one system for another, they're exposed to fewer threats.
Keep people and zero trust in mind
It is key not only to have the right staff in charge of zero-trust deployments and management, but also to adapt workplace culture.
Zero trust is certainly a team sport. Security, networking, data and application teams need to work with HR, finance, the C-suite and other teams to create a successful zero-trust deployment. Communication and collaboration are important. Trainings and certifications may help boost zero-trust knowledge.
Remember, training and culture are as important as having the right staff and technologies in place. Strong technology can be defeated by a problematic culture. Employees are members of the team, and they may need to adapt to completely new ways of doing tasks and new policies when zero trust is adopted. Be sure to avoid any UX friction.
Also, the phrase zero trust can be off-putting to users. Zero trust is often interpreted by employees as "You don't trust me," -- even though that isn't the purpose of zero trust. This can cause adoption to be met with resistance. Training educates users about what zero trust is, how it applies to them and what it means for the big picture.
Despite the efforts of the vast cybersecurity community, data breaches continue. To combat this, zero-trust cybersecurity focuses on securing assets themselves, rather than only entry points. As long as companies recognize the challenges of zero trust, they can move their security position forward.
About the author
Dennis Turpitka was founder and CEO of Apriorit, a software development company that provides engineering services globally to tech companies, including Fortune 500 tech giants.