Zero trust has certainly won the buzzword of the year award for 2021, but I have a different perspective than many on this topic — I don’t think it’s worthy of the central spot on your overhyped IT buzzword bingo card. From my perspective, zero trust is not only necessary and timely but exceptionally viable.
This article was originally published on Forbes. You can read the full article at https://www.forbes.com/sites/forbestechcouncil/2021/10/07/four-zero-trust-myths-impacting-adoption/.
Certainly, zero trust is a complicated concept — and more challenging to implement than described, but it’s not the giant hairy beast the industry has made it out to be. In the name of defending the protagonist in this great cybersecurity epoch, I’d like to debunk a few common myths and misconceptions around zero trust.
- Zero trust means specifying access to and from every resource.
The first myth, and likely the one that makes zero trust feel like an insurmountable task, is that it requires organizations to specify access to and from every possible combination of users and resources (or assets). Any IT or infosec professional who’s worked with access policies in any capacity (such as authentication or network access control, firewall policies or other identity and access management [IAM] policies) understands the intricacy of coordinating even traditional broad access rights. So, when zero trust starts prescribing what sounds like a one-to-one (user to resource) policy, down to the port and application level, it’s cause for alarm.
The truth is that a zero trust strategy isn’t about nitty-gritty, one-to-one policies across the board; it’s about removing inherent trust and centering all trust decisions around identity. In fact, the natural progression with zero trust is just like any other part of a risk management program — we identify the highest risk assets (specifically, data, as asserted by Forrester) and carve those out first for zero trust access.
- Zero trust is still a concept, not a solution.
Zero trust as a term may have been coined by Forrester in 2010, but that was just the industry-assigned label for the progression towards de-perimeterization which has been in circulation for almost twenty years. In fact, Google’s hallmark BeyondCorp model for zero trust in 2009 predated the Forrester label. The point being, zero trust is not just a new theoretical concept. If you search for “zero trust case studies” online, you’ll be greeted with a battery of success stories (and some war stories) from organizations across the globe and of all sizes and industries.
Shopping the extensive mall of security products, we see hints of zero trust in every store we pass — in privileged access management (PAM) products, network access control (NAC), network microsegmentation, cloud access security broker (CASB), secure access service edge (SASE) and in various virtual private networking (VPN) replacement products, to name a few.
- Zero trust is not achievable for smaller organizations.
For anyone who’s played a role managing technology with both small and large organizations, it’s almost laughable to think that a smaller organization is somehow at a disadvantage in implementing disruptive technology. Having said that, there’s a lot of truth in the fact that smaller organizations often lack both the personnel and processes required for mature cyber security programs. There may be no CISO and likely no extensive library of referenceable policies.
But, from a controls implementation standpoint, smaller organizations have a huge advantage over their larger counterparts who have infinitely more complex systems and networks, often stricter compliance requirements and operate on a much larger scale.
And it’s a good thing. With Cybersecurity Maturity Model Certification (CMMC) requirements and supply chain security crackdowns, SMBs are coming under extensive scrutiny as it relates to cybersecurity practices. Zero trust architectures will play a huge role in their ability to meet these new demands, and it’s definitely easier and faster to make the requisite changes at a smaller scale with less red tape.
- Zero trust is too complicated to succeed.
It certainly seems some of the friction in wrapping our collective heads around zero trust is that we aren’t yet accepting it as a concept. Zero trust is not a product, and in fact, it’s not even a suite of products — it’s something much bigger and broader. Saying “implement zero trust” is like saying “take a layered approach to security.” There’s no silver bullet, and it’s not achieved with a wholesale forklift of an organization’s network and security architecture. Zero trust is a mindset and a process.
Yes, planning and implementing a zero trust program is hard, but we’ve been here before. The desire for more granular segmentation coupled with stronger identification and authentication of users and devices is a mountain we climbed through decades of network access control (NAC) implementations. Frankly, zero trust is just NAC 4.0: another evolution with stronger centralized identity, more granular policy control and an implementation designed to address the eroded perimeter and work-from-anywhere access model.
Just like its predecessor, successful zero trust programs will depend on security, identity and networking teams to come together and find the product sets that will work best with their environment.
In summary, zero trust may be no cakewalk, but it’s here, it’s real and it’s achievable when we tackle it as a mindset of progression towards stronger identity-centric access to our crown jewels.
Cover image by liuzishan – www.freepik.com.