Worried about protecting data, the likelihood of breaches, and the rise of insecure endpoint and Internet of Things (IoT) devices, companies are looking to technologies and security models that focus on continuous authentication, experts say.
On February 4, survey firm Cybersecurity Insiders published its “Zero Trust Progress Report,” finding that two-thirds of surveyed cybersecurity professionals would like to continuously authenticate users and devices and force them to earn trust through verification, two foundational tenets of the zero-trust model of security. Yet while the average cybersecurity professional is confident he or she can apply the zero-trust model in their environment, a third of respondents had little confidence, and 6% were not confident at all, the report found.
Other studies have found a similar conclusion: The concept of a zero-trust architecture, now a decade old, appears ready to go mainstream, but cybersecurity professionals remain uncomfortable with its implementation, says Jeff Pollard, vice president and principal analyst with Forrester Research, the analyst firm that coined the model in 2010.
“Zero trust is one of those initiatives that is being driven from the top-down perspective,” he says. “Previous models, security architectures — were very practitioner-driven. They were very organic and grew over time. … But because zero trust is a different model and a different approach, it is going to take time for all the practitioners out there to become ultimately familiar with what this looks like from an operations standpoint.”
The zero-trust concept evolved as a reaction to the disappearance of the network perimeter, as personal smartphones and other devices became widely used by employees at the office and as more workers did their jobs remotely. While old models of network security assigned trust based on location — anyone in the office was often trusted by default — zero-trust models focus on users and context.
Those components also create the biggest challenges for companies, according to the survey, which was sponsored by network security firm Pulse Secure. Most companies (62%) have to worry about over-privileged employees accessing applications as well as whether partners (55%) are only accessing the resources assigned to them. About half of respondents (49%) are worried about vulnerable mobile and rogue devices in their networks.
“Digital transformation is ushering in an increase in malware attacks, IoT exposures, and data breaches, and this is because it’s easier to phish users on mobile devices and take advantage of poorly maintained Internet-connected devices,” Scott Gordon, a spokesman for Pulse Secure, said in a statement. “As a result, orchestrating endpoint visibility, authentication, and security enforcement controls are paramount to achieve a zero-trust posture.”
The result is that companies have to move their entire infrastructure to the new model to benefit from the overall benefits of a zero-trust approach — one of the reasons that the process has taken so long, says Forrester’s Pollard.
“They cannot take what they have done in the past, and forklift it over to the new architecture — taking an existing infrastructure and porting it over,” he says. “There is just so much technical debt in the old environment. Instead, we recommend of taking a more thoughtful approach.”
Security practitioner should first focus on using the zero-trust approach for cloud services, which are often new projects and which do not have much security debt. With the move, companies could also find new ways of accomplishing zero trust, such as security-as-a-service (SaaS) models.
The hesitation on the part of companies surveyed by Cybersecurity Insiders is understandable, says Holger Schulze, founder and CEO of the firm.
“Some organizations are hesitant to implement zero trust as SaaS because they might have legacy applications that will either delay, or prevent, cloud deployment,” he said in a statement. “Others might have greater data protection obligations, where they are averse to having controls and other sensitive information leaving their premises, or they have a material investment in their data center infrastructure that meets their needs.”
Done right, zero trust should not be any more expensive than the perimeter-focused security that most companies use today, says John Kindervag, field chief technology officer for network-security firm Palo Alto Networks and the person credited with formalizing the zero-trust model.
“Zero trust is not more costly than what is being done today — in fact, we typically see significant savings in capital expenditures, because often multiple technologies are collapsed into a single one or legacy technology is not needed in a zero-trust environment,” he says. “We also see significant savings in operational expenditures, because smaller teams can effectively operate zero-trust environments.”
Finally, companies need to focus on educating, not just the practitioners, but the users as well, says Forrester’s Pollard. New tools and systems are necessary, but the user is essential, he says.
“Make sure that you understand that they user is at the epicenter of the zero-trust model,” he says.
Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “C-Level & Studying for the CISSP.”
Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio