In this blog, we highlight ten possible misconceptions about the Zero Trust information security paradigm that could drive resistance to change among information technology leaders in the mid-market.
The Zero Trust model is not new. It is being discussed and refined since John Kindervag wrote the paper “No More Chewy Centers: Introducing The Zero Trust Model Of Information Security” when he was working at Forrester. Today, many enterprises are already in the planning phase to deploy Zero Trust-based solutions for different reasons and use cases, although everyone has the common goal to replace legacy controls that were built with the old implicit trust in mind. A few visionary executives are leading the way by implementing Elisity® Cognitive Trust™ to start the journey towards a zero trust security posture for their large organizations (check our “Taking on Zero Trust” interview series for some leading examples).
But this migration is taking place at large enterprises, which usually require absolute visibility and control of their network environments. These large organizations live in a world where:
Given this digital transformation, these enterprises have no better way forward to secure users, devices, applications, and data than to change the way they approach information security altogether. Zero Trust is a paradigm shift driven by digital transformation and common sense.
But for mid-market businesses, absolute visibility and control of their networks are typically outsourced. They trust managed services providers to deliver networking and information security capabilities for lack of their own specialists and infrastructure, with simplicity and cost-efficiencies driving their decisions. The zero trust conversation may still be foreign to mid-market businesses or may have spawned a few critical misconceptions that could cause resistance to change. So let's go through these:
While Zero Trust, as a buzzword, may still be climbing the hype curve, it is a very old concept. Like mentioned at the beginning of this blog, it’s been around for years. However, no one really embraced it earlier, as the operationalization of zero trust was seen impossible, everything being visualized from the connectivity-first and security-next thought process.
The challenge for mid-market organizations new to the Zero Trust model is to stay away from those vendors that jump into the hype bandwagon and claim to offer a zero trust “product”. Those vendors essentially are putting lipstick on their pigs. Instead, mid-market IT leaders need to research and consider vendors that purpose-built tools to support a transition to a zero trust architecture. Alternatively, they could work with MSPs that boast the infrastructure, technologies, and talent that can help them migrate away from the old implicit trust model.
It is not. Zero Trust is a journey. It is an information security model that gradually eliminates implicit trust from the underlying network. Multiple product categories enable implementing a zero trust network architecture that can move organizations faster towards an optimal security posture. When properly integrated and utilized, these products effectively reduce the attack surface and limit the blast radius in the event of a breach, all without affecting network availability, business operations, and productivity. Ultimately, when properly implemented, a comprehensive zero trust solution with continuous trust verification should aim, or aspire, for complete elimination of the attack surface.
They don’t. Well implemented zero trust security actually not only improves the network availability but also enhances the application access experience phenomenally. Most of the time, network and security teams have conflicting agendas. Usually, the network team needs to move packets from A to B to Z effectively and efficiently, with the security team coming in after the fact to add security controls to that data in transit and at rest. When that happens, network performance and availability may suffer. But it does not apply with a security-first approach to networking through a frictionless and distributed identity-centric network architecture. Making information security an integral part of the network fabric is inherent to the Zero Trust model.
When “location” becomes just another contextual attribute and does not determine trust by itself, securing assets becomes more effective, and transporting packets can be done more efficiently. With identity and its contextual attributes becoming the new dynamic edge, instead of IP addresses and ports, organizations can over time create virtual micro-perimeters (a.k.a. nano-segments) around their assets to build policy around. This fine-grained segmentation level helps IT provide more granular access to resources, prevents lateral movement within the network in the event of a breach (limiting the blast radius), and enables policymaking that evolves in sync with the organization.
They don’t, necessarily. It is valid to assume that user experience and productivity would suffer because of the requirement to verify identity constantly. With the right tools, a frictionless experience is possible thanks to nano-segmentation of users, devices, apps, workflows, and data, combined with intelligent policies enforced as close to the asset as possible. On the admin side, productivity increases, and complexity decreases. For example, when an employee leaves the organization, access to all resources is revoked at once. Under the old model, it would likely take some micro-management with the risk of leaving some access granted by mistake. Do me a favor and check from your smartphone if you still have access to your former employer’s cloud storage. There’s a chance you still do. A solution like Elisity’s Cognitive Trust for Remote Workforce Anywhere can prevent these scenarios.
It is not the case with brownfield scenarios, which are the more likely ones. Operationalizing zero-trust doesn't mean you start untrusting the already established trust model of a brownfield network. On the contrary, and counter-intuitively, the right approach to initiating the journey to a Zero Trust architecture is to start with a default-allow stance in your shiny new zero trust security stack. The reason being that you do not want to disrupt business operations while you transition. You start in observation mode while trusting your legacy implicit trust configurations to keep doing their job, while you study what’s on your networks (what’s communicating to what, why, where, and when). Over time, you can prune access using your brand new zero trust security controls, creating new ubiquitous policies that will grant or deny access adaptively. For greenfield implementations, you can model the trust relationships and create relevant policies for right-sized access right from the start. When you are designing the solution, you already know which crown jewels and traffic flows you intend to secure first. You expand through new policies after you turn the lights on and get into observation mode.
On the contrary, like stated above, it is the more likely scenario. Unless you are building a new network from scratch, connecting a new branch to the WAN, or setting up a new cloud application, you will likely be deploying a zero trust-based solution over the existing architecture. Once closer to the ideal security posture achieved through discovery, learning, and policymaking, you may be able to phase out some of the legacy security controls, such as user VPNs.
Zero trust is extremely critical for brownfield environments and the key to success is in how you operationalize it. Software defined perimeters, nano-segmentations, and identity behavior analytics help achieving this operationalization.
Not necessarily. Gartner says, “ZTNA augments traditional VPN technologies for application access and removes the excessive trust once required to allow employees and partners to connect and Collaborate”. VPN replacement is a typical driver for ZTNA adoption. More so in this environment where the remote workforce has expanded exponentially, shedding light on the bandwidth and security limitations of VPN architectures. ZTNA appeals to organizations seeking more precise access and session control to applications located on-premises and in the cloud. But always-on VPNs that require device and user authentication provide similar outcomes as ZTNA and will not go gentle into the good night.
In short, what solves the issues of legacy VPN solutions is the way zero trust is implemented. ZTNA not done the right way is still not the answer to all VPN limitations. But ZTNA done right can go above and beyond replacing VPN, enabling new capabilities, and overcoming the limitations and risks of the old implicit trust model.
Not really. They can help reduce capital and operational expenses. If you think that spending around 10 dollars (or less) per user per month to secure user-to-application access and your crown jewels is expensive, then I don’t want to know how much you’re currently spending on user VPNs and firewalls.
That’s false. Typically, early adopters of ZTNA and SDP are manufacturing companies seeking to secure their connected Operational Technology (OT) devices to protect against internal and external sabotage. Elisity's Cognitive Trust for Connected Devices can help manage and enforce access policy closer to the devices, protecting industrial control systems, and preventing lateral movement within the network. Having said that, zero trust agents definitively enhance the security posture, wherever they can be installed in the OT network (i.e., in switches).
Anyone who attains this conclusion is being naive. Zero Trust means “trust nothing, verify everything”, even your zero trust security stack. A ZTNA solution cannot eliminate every risk completely. Although extremely unlikely, a trust broker can be compromised if it represents a single point of failure when there’s no redundancy to ensure service availability. Multiple entry and exit points could minimize the likelihood of outages. The number of policy enforcement points (PEP) a solution can offer is also a factor that affects performance and availability. Finally, a trust broker that does not include multi-factor authentication (MFA) could see compromised user credentials at some point.
You must always keep in mind that Zero Trust is a journey that gradually reduces the attack surface with the ultimate aspirational goal of eliminating it altogether. It cannot be achieved on day one.
A sound zero trust strategy for mid-market companies would combine a few security controls beyond just ZTNA, including 24/7 monitoring by an MSSP, for rapid detection and response to security incidents. There are several affordable SOCaaS (Security Operations Center-as-a-Service) offerings for medium-sized organizations that, given the right zero trust tools, can help minimize the risk of a breach.
Zero Trust is a never-ending journey. It’s aspirational because, in the end, something has to be trusted and packets must flow. It’s an exercise of constant verification and policy adaptation that, when leveraging frictionless solutions, enables the happy co-existence between the often conflicting information security and networking agendas. By adopting the Zero Trust mindset and the right set of integrated security tools (or the MSP that boasts these), mid-market organizations can start the journey with confidence.
A typical pilot to start "learning the ropes" can be providing secure access anywhere to the on-prem and remote workforce to then gradually phase out user VPNs. Check out Elisity Cognitive Trust for Workforce Anywhere and learn how it can help you or your MSP start the zero trust journey in your organization.