Zero Trust is critical to Information Security

A survey of more than 1,000 IT security professionals reveals that 75 percent of organizations characterize Zero Trust as critical or very important to strengthening their overall cyber maturity. Conducted by One Identity, an identity-focused security player owned by Quest Software, the study reveals that the approach is the top security priority for most organizations, but its comprehensive understanding and adoption remain inconsistent.

Only 14% of surveyed professionals reported having fully implemented a Zero Trust solution. Another 39% have started to address the need, and 22% noted that they plan to implement Zero Trust over the course of this year. And only one in five security stakeholders is confident in their organizations’ understanding of Zero Trust.

“Organizations recognize that the traditional perimeter is no longer sufficient and that they will be better served by prioritizing identity security and taking steps to ensure that criminals are limited once they gain access,” assesses Rogério Soares, director of Pre-Sales and Professional Services LATAM at Quest Software/One Identity. “Zero Trust is fast becoming essential because it eliminates vulnerable permissions and excessive access by providing a range of different rights across the organization to limit attack surfaces if they are breached,” he adds.

Among the main barriers to the success of Zero Trust is a lack of clarity about how adoption can be achieved. Some 61% of security professionals are focusing their implementation on reconfiguring access policies, while 54% believe it starts with identifying how sensitive data moves across the network. While 51% are implementing new technologies to achieve Zero Trust.

Overall, 32% of security teams do not have a comprehensive understanding of how Zero Trust should be implemented in their organizations. Other major barriers to Zero Trust adoption include competing priorities (31% are too busy with other daily priorities) and beliefs that Zero Trust may harm business productivity (e.g., 31% mistakenly believe that Zero Trust security models affect employee productivity).

Priority also for the American government

In the United States at this time, the Department of Homeland Security’s Cybersecurity and Infrastructure Agency is putting the finishing touches on several guidance documents to help ease the transition to a Zero Trust cybersecurity environment.

The whole point of this effort is to move security away from the network and into the data and application layers.

John Simms, deputy chief of CISA’s cyber security assurance division, said the documents and other efforts are helping agencies shift their cyber thinking away from the network and closer to data.

“When we look at the cloud and see how we’re going to facilitate zero trust in the future, we have to fundamentally shift our thinking away from that foundation of network-centric cybersecurity and visibility and see how we can support it in a risk-based approach,” Simms said during an ATARC-sponsored panel in November. “We really need to focus on zero trust and where it’s really going to help us change dynamic and federal cybersecurity.”

In the last three months, CISA, together with the Office of Management and Budget, launched the Zero Trust strategy project, the cloud security technical reference architecture project, and the Zero Trust maturity model project.

How to implement?

First of all, it is worth remembering that Zero Trust is a way of thinking, not a specific technology or architecture.

So a full Zero Trust posture may never be fully achieved, says Neil MacDonald, vice president analyst at Gartner. But specific initiatives can be undertaken as soon as possible.

Gartner recommends that organizations wishing to implement Zero Trust start with two network-related security projects. Why? Well, TCP/IP network connectivity was created at a time when trust could be assumed. It was built to connect people and organizations, not to authenticate. Network addresses are, at best, weak identifiers. Zero Trust network initiatives use identity as the basis for new perimeters.

In the past, when users left the “trusted” corporate network, VPNs were used to extend the corporate network to them. If attackers could steal a user’s credentials, they could easily gain access to the corporate network.

Zero trust network access abstracts and centralizes access mechanisms so security engineers and staff can be accountable for them. It grants appropriate access based on the identity of humans and their devices, as well as another contexts such as time and date, geolocation, historical usage patterns, and device posture. The result is a more secure and resilient environment with greater flexibility and better monitoring.

The shift to a largely remote workforce during the Covid-19 pandemic created intense interest in the ZTNA, with media headlines proclaiming ‘The VPN is dead’.

While VPN replacement is a common driver for adoption, ZTNA typically augments, rather than replaces, a VPN. By allowing users to access what they need and moving to cloud-based ZTNA offerings, you can avoid overloading your VPN infrastructure.

In the long term, this Zero Trust posture for network access security can continue to be used when people return to the office.

Identity-based segmentation, on the other hand, also known as micro- or zero-trust segmentation, is an effective way to limit the ability of attackers to move laterally in a network once they have entered.

Identity-based segmentation reduces excessive implicit trust by allowing organizations to shift individual workloads to a “default denial” model rather than an “implicit permission” model. It uses dynamic rules that evaluate workload and application identity as part of the determination of whether to allow network communications.

When starting an identity-based segmentation strategy, start with a small collection of the most critical applications and servers for initial deployments and expand from there.

Once you have implemented ZTNA and identity-based segmentation, move on to other initiatives to extend a zero-trust approach across your technology infrastructure.

“For example, remove remote administrator rights from end-user systems, test a remote browser isolation solution, encrypt all data at rest, in the public cloud and start checking the containers your developers are creating for new applications,” advises Gartner.