Why adopting a Zero Trust approach is not as straightforward as it might appear

The world has changed. With the move to a hybrid workforce, the rapid adoption of cloud, and the increased use of mobile and IoT devices, the attack surface of every organization has expanded. Businesses are finding it harder than ever to protect their networks and digital assets.

This will, no doubt, be the central theme for this year’s Cybersec Europe, taking place on May 29th and 30th in Brussels. The event aims to arm visitors with the know-how and solutions to make their businesses cyber resilient and secure their digital assets.

But it is not just about securing assets. Traditional boundaries have blurred between businesses, suppliers, customers, workers, and home life. Organizations must have all the appropriate governance and systems in place so they can view cybersecurity from a holistic and integrated perspective. This is where a Zero Trust strategy with identity at its core is essential.

Zero Trust has emerged as a set of guiding principles and the framework of choice helping organizations establish a set of controls. Organizations that adopt Zero Trust principles assume every connection, device, and user is a potential cybersecurity threat. By eliminating implicit trust, the Zero Trust model advocates for a security policy in which nobody is inherently deemed safe, regardless of role or responsibility.

Zero Trust security offers a new way of securing access and IT leaders are embracing it. In a recent study, organizations with a mature Zero Trust implementation scored 30% higher in security resiliency than organizations without a Zero Trust strategy.

While this all sounds great on paper, in practice, taking such an approach is inherently hard for organizations to achieve. Many don’t have the understanding they need of all the different aspects of their security infrastructure to implement a holistic Zero Trust approach. Most approach security from a siloed perspective, as do most vendors. Not one vendor has every aspect of Zero Trust covered, with vendors delivering various solutions from identity to access control to micro-segmentation to endpoint verification to network access to real-time monitoring.

Likewise, within the organization, different teams will be delegated different security tasks. For example, network management and identity management often sit in separate teams. This may require a significant shift in organizational culture, set-up and security strategies, which can be complex and necessitate buy-in from several different levels.

Substantial changes to existing network infrastructure may be required, which can be costly and time-consuming. Achieving comprehensive visibility and control over all network connections can be technically challenging, especially in complex environments.

Some considerations when adopting a Zero Trust approach with identity at its core include:

1. Make sure you encompass all identities into your road map.  This includes third party access, vendor management, partners, employees, contractors – all identities must be handled appropriately.

2. Understand your organization’s critical digital assets, categorize them based on sensitivity, and correlate access needs with job positions. This step aids in prioritizing security efforts and detecting vulnerabilities through a security risk assessment.

3. Restrict user access using the principle of least privilege. Implement access control policies, leverage identity management, and conduct regular access reviews to align permissions with job responsibilities.

4. Understand your risk posture and spend your euros wisely. This means having a complete understanding around access and a comprehensive road map. The challenge today is that most CISOs are so busy with different aspects of legislation, compliance and risk management that they don’t have time to focus on the bigger picture. It is critical that they make time.

5. There is a shortage of qualified, specialist personnel. Therefore, be clear on what topics and intelligence you want to retain within the organization and what you could outsource. For example, Privilege Access Management is complex and your organization probably doesn’t need this level of specialist expertise, so outsource to the experts.

6. Remember the importance of communication within the business security teams which is vital to building internal support. To achieve this, security teams must inform and guide users through the phases of the Zero Trust implementation while continuing to emphasize the benefits to them.

With this vision and understanding, the steps to success become more achievable.

If you are interested in learning more about Xalient’s approach to Zero Trust why not listen to our talk: “Why Zero Trust starts with identity” at Cybersec, which is being held on Wednesday, 29th and Thursday, 30th May at 14.45 pm in Theatre 7. Or you can find us on stand 05.A042.