Zero trust is a novel security approach that ensures secure connectivity by eliminating transitive trust and requiring explicit authorization for every user who seeks to access corporate systems and applications. Although interest in zero trust has grown significantly in recent years, a survey conducted by MeriTalk and Merlin Cyber shows that federal agencies are encountering challenges with implementation. In this article, we explain the concept of zero trust, examine the difficulties that were identified in the survey, and suggest best practices for overcoming them.
Why Should You Adopt Zero Trust?
The zero trust security framework is based on the principle “never trust, always verify.” In this model, the identities of users and devices are authorized each and every time they request access to systems and applications. This is unlike the legacy castle-and-moat approach that provides ongoing access based on transitive, location-based trust, such as a network origin or IP.
Zero trust uses multi-factor authentication (MFA) and additional secure authorization methods to verify identities. In addition, the network is cloaked from unauthorized users to prevent risky visibility. As a result, zero trust ensures secure access and business agility for organizations, supporting use cases like remote work, third-party access, M&As, and more.
Zero trust has recently been recognized by the leading global institutions as a recommended security strategy for organizations. In May 2021, the Biden administration in the United States issued a presidential Executive Order (EO) calling to modernize federal and private cybersecurity measures. The EO specifies that zero trust adoption is necessary to ensure cloud service security.
Following Biden’s Executive Order, CISA (Cybersecurity & Infrastructure Security Agency) published a zero trust maturity model designed to assist agencies in their transition to zero trust. Finally, in Jan. 2022, the OMB (Office of Management and Budget) published its Federal Zero Trust Architecture strategy, which requires agencies to meet standards by the end of 2024.
But why has zero trust, which was initially conceptualized over a decade ago, suddenly achieved such a high level of public visibility? The answer is connected closely to the growing scope and sophistication of cyber attacks that exploit legacy security controls and policies. Attacks like the Colonial Pipeline, Kaseya, and Solarwinds resulted from attackers targeting critical networks and causing massive damage. Alongside these high-profile attacks, in 2021 there were thousands of cyberattacks every day, and the number of attacks continues to rise every year.
Zero Trust Adoption Challenges
Under these circumstances, it’s easier to understand why zero trust is gaining traction. However, adopting zero trust is not always easy, and a little guidance can go a long way. According to the “2022 State of Federal Zero Trust Maturity” report by MeriTalk and Merlin Cyber, federal agencies are encountering a number of challenges.
Interviews with 151 federal cybersecurity decision-makers conclude they are most concerned about:
1. Being Pushed Too Quickly
87% of respondents said they felt they were being pushed too quickly to implement zero trust, in a way that would impede achieving zero trust goals. Specifically, implementing requirements for devices and networks was considered to be the main challenge. Respondents are also concerned about automation, visibility, and governance challenges.
2. Tool and Vendor Integrations
Implementing zero trust requires introducing new vendors and tools that need to be integrated into the existing security stack. Some legacy tools might even need to be replaced.
- 42% of DoD agencies and 43% of civil agencies see the integration of new solutions with legacy, implicit trust-based solutions, as difficult.
- 42% of DoD agencies and 36% of civil agencies raised concerns about how to find the right vendor(s) for this new approach.
- 45% of DoD agencies and 44% of civil agencies described the process of centralizing previously siloed cybersecurity tools and deployments as a challenge.
3. Reorganizing Roles and Responsibilities
Zero trust is not a tool but rather a framework for approaching cybersecurity. Therefore, adopting zero trust often requires rethinking the organizational structure and responsibility delegation. For example, with zero trust, an infrastructure team will no longer need to be responsible for VPNs.
According to the report, 41% of DoD agencies and 43% of civil agencies were challenged by having to staff or train the IT workforce for zero trust, and the numbers for the non-IT workforce were 32% for DoD agencies and 41% for civil agencies.
Best Practices for Gradual Adoption of Zero Trust
The challenges described above can be overcome by implementing zero trust in a phased approach, beginning with the riskiest users. By introducing zero trust at a pace the organization is comfortable with, decision-makers can ensure all their questions are answered, all tool integrations take place securely and all employees get properly trained. In other words, by taking a phased approach, agencies, companies, and institutions can make sure their organization is secure while still maintaining stability and productivity.
Cyolo recommends three primary phases for zero trust implementation:
Phase 1: Third-Party Users
Third-party users pose the highest security risk for most organizations. This group can include vendors, suppliers, contractors, and other users who don’t work directly for the organization but need to access critical systems in order to keep the business functioning smoothly. By instituting strong authorization and access policies for third parties, preventing them from gaining visibility into the internal networks, and recording and auditing their activities, organizations can significantly reduce the risk of an attack. Because of the high risk they pose and the large benefits achieved by securing them, it usually makes sense to tackle third-party users as the first phase of a zero trust implementation project.
Phase 2: Remote Users
Remote connectivity constitutes a security challenge because the organization doesn’t have control over the networks and devices remote users rely on to access corporate systems and applications. By enabling zero trust access for all remote users (and their devices), the organization improves its overall security posture by lowering the risk that attackers will enter the network through vulnerable connectivity tools such as VPNs.
Phase 3: Enterprise-wide Adoption
Once the most potentially problematic users have been secured, the final step is to roll out zero trust across the entire organization, including for on-site users. After the first two phases have proven to be successful, there will be more organizational buy-in to implement zero trust for all users. In addition, lessons from previous deployments can be drawn on to ensure the final phase takes place smoothly and doesn’t impede internal work processes.
The Future of Zero Trust
Zero trust is the most effective security strategy for combating today’s advanced cyberthreats. By removing transitive trust and continuously authenticating all users, zero trust prevents cyberattacks and supports the needs of the modern workforce, including remote work and collaboration with external suppliers. Implementing zero trust might feel like a monumental task if an organization is rushed into it. However, by taking a gradual approach and implementing zero trust step by step, organizations can increase the security posture at the pace that is right for them.