Zero Trust: Essential in the Modern World vs. Unrealistic and Too Expensive

Written by

Jordon Kelly, Research analyst, Information Security Forum
Jordon Kelly, Research analyst, Information Security Forum

Zero Trust: Essential in the Modern World

As interest in zero trust intensifies, organizations must understand what it is in order to gain the benefits that it is capable of delivering. Organizations should recognize zero trust as a security strategy that can better address the fast-moving and rapid change currently happening across all sectors and industries.

Zero trust is more suitable for protecting and securing critical data, information and systems than the traditional approaches to network security. Organizations can better understand zero trust through three distinct layers:

1: Adopting a Zero Trust Security Strategy

Zero trust is a fundamental shift in organizational mindset, built on the tenet of verifying but never trusting. It looks to reduce the risk associated with lateral movement, regardless of whether an access request or packet originates from outside or inside the organization’s network. Unlike the traditional perimeter-centric focus on security, zero trust is driven by a data-centric approach to protecting organizational resources, including critical data, assets, applications and services referred to within the context of zero trust as a protect surface.

To reap the benefits of zero trust, organizations must re-evaluate the role of security in their organization’s culture. By adopting a zero trust strategy, organizations will have better knowledge of the business environment and organizational resources, allowing them to better align their security practices and behaviors with their mission and operational needs. This way of thinking will help reduce silos and provide a strong foundation for a more holistic and deeper understanding of security in the business context.

Zero trust can help an organization move away from a security culture that is pushed outward from an information security team or function and towards a culture of security that is understood and facilitated by all areas of the business. This fact will leave employees, senior leadership and stakeholders better prepared for, and better protected from, a growing number of threats.

2: Implementing a Zero Trust Operational Environment

Once an organization has chosen to adopt a zero trust strategy and the relevant parties have carried out initial activities to understand its current security posture better, it will need to look at implementing zero trust from a technical perspective. 

Zero Trust Network Architecture (ZTNA) refers to the operational environment that an organization will design for putting a zero trust strategy into practice. Unlike a traditional network, the ZTNA

builds upon a data-centric way of thinking about security, one that provides a far greater level of granularity of security controls. This method of designing network security offers the organization a dynamic, contextually driven and detailed way of securing resources. 

A ZTNA offers the potential for a more resilient and robust operating environment for organizations, providing the ability to focus on protecting discrete resources while also reducing the friction on routine work activities typically disrupted by cumbersome security practices.

3: Applying Security Tools and Controls

The final component for organizations to consider when adopting and implementing zero trust is applying security tools and controls to help build out the ZTNA to maximize the adequate protection of organizational resources. Many of the tools and controls used to implement a ZTNA are already widely available, and, in many cases, organizations already use them. However, the shift in mindset away from a perimeter-centric security approach towards a data-centric one means these tools and controls become far more efficient and effective.

 For example, organizations can implement identity access management tools such as multi-factor authentication, privileged access management and least privilege access to create a set of controls that can be combined to create context-based, least-privilege access. This approach provides only the necessary resources needed for an individual to perform their role. The approach can be further enhanced by architecting the zero trust network with micro-segmentation and software-defined perimeter tools. Context-based, least-privilege access can even be adjusted through automated processes based on the resource(s) needed for one-off projects and tasks.

Organizations looking to adapt to an ever-changing security environment alongside other business, societal, financial and regulatory factors, will benefit hugely from zero trust. While nobody knows what the future holds, the effective adoption and implementation of zero trust will leave organizations better prepared to face the growing complexity, novelty and diversity of threats that are likely to continue over the coming years.

Callum Roxan, Global head of threat intelligence, F-Secure
Callum Roxan, Global head of threat intelligence, F-Secure

Zero Trust: Unrealistic and Too Expensive

Assume breach, least privilege and verify explicitly – zero trust is based on solid principles and good intentions. Yet, good principles and intentions do not necessarily translate into good outcomes, and no matter how good the intentions may be, the outcomes are what matter. As the English proverb goes, the road to hell is paved with good intentions. 

Zero trust has many potential benefits for improving an organization’s security posture, and ultimately reducing risk and cost to the business from cyber-attacks. Nevertheless, it has two significant challenges: complexity and cost of implementation.

Zero trust heavily relies on an organization’s ability to accurately identify and classify the data it holds in each document, endpoint or system, and its ability to accurately identify and classify every user or system that may need to access that data. At the same time, policies to control this access need to be defined. Suppose you consider a medium-size organization with 1000 employees and hundreds of thousands of pieces of data that they may want to access. In that case, you can quickly see the complexity involved in classifying and controlling that data and who may access it. 

Many organizations struggle with the basics of accurately identifying the number of systems they have and how they may be exposed. To further classify the data relating to those systems is a complex task that is realistically beyond the reach of most. Take that a step further and consider that organizations will need to constantly update their understanding as data, systems and employee needs evolve. You see how this complexity can grow. This task is a true white elephant. 

The other side of this equation is the cost. The resources required to undertake such a project and gain the buy-in needed across the company to execute it effectively will be large for any organization. For many of those still struggling for the resources to do the cybersecurity basics, such as patching systems promptly, performing basic assurance activities and having an established detection and response function, this seems like an expense beyond them. 

The costs of zero trust are not just the products or services required to execute it effectively. The costs include the time the organization spends planning such a complex project, the time of every team in the organization to help classify their data and the time it takes for users to adapt their working ways to be compatible with a zero trust system. Current business setups are overly permissive internally because it is just more straightforward and less costly for the business to operate this way. 

Security is often seen as a blocker, and in the case of zero trust, there is a real danger that it can become one if not implemented well. It can cause delays and add red tape or overhead to the operation of many teams within a business. As soon as a security function starts affecting the bottom line, buy-in and support for such a project will quickly melt away.

All security leaders wish they had more resources to spend on different elements to improve the security postures of their organization. This fact breeds a reality and an understanding that they cannot do everything and that they need to prioritize and really appreciate the opportunity cost of their decisions. The current return on investment of less complex security projects will outweigh that of implementing zero trust for many security leaders. Ultimately, the opportunity cost of implementing zero trust is immense for most organizations, and the opportunity cost is not something to which a wise security leader would pin their job.

Zero trust has excellent value to more mature and agile organizations that can afford and need to invest highly in security to guarantee the continued success of their business. But for most, it is an unrealistic goal, with security investment having much greater returns if spent elsewhere. The principles should be seen as a good guiding light to shape a security strategy around, but one that has more realistic goals that can positively impact an organization’s security posture – not one that will be stuck in a never-ending project that fails to fulfill its promised outcomes. Because, as stated at the start, the outcomes are all that really matter.

If you liked this article, be sure to check out this upcoming Online Summit session:

What’s hot on Infosecurity Magazine?