Zero trust is one of those infosecurity buzzwords bandied about as much as blockchain and military-strength encryption. However, when it comes to actually making it work in a real-world enterprise security context, cyber-security professionals are less than confident about their skills, suggests new research.
Progress towards a zero trust future in the enterprise is patchy, said a research report by Cybersecurity Insiders and Pulse Secure. The researchers surveyed more than 400 cyber-security decision makers, encompassing IT security professionals and technical executives alike.
More than 70 percent of organisations were planning to either implement or assess zero trust capabilities this year in an effort to better mitigate the burgeoning cyber-risk. However, 47 percent of those tasked with implementing such a strategy admitted to "lacking confidence" in their ability to apply zero trust to the organisational security access architecture, found the survey.
As Scott Gordon, chief marketing officer at Pulse Secure noted, “Zero Trust holds the promise of vastly enhanced usability, data protection and governance. However, there is a healthy degree of confusion among cyber-security professionals about where and how to implement Zero Trust controls in hybrid IT environment – which is clearly reflected in respondents’ split confidence levels.”
Which got us to thinking, here at SC Media UK, why zero trust is such a widely accepted concept if the people at the infosec-implementation coal face don't know, or lack confidence in their ability, to actually get it working? We turned to the broad infosec professional community and asked them point blank about their honest views on the zero trust model.
Zero trust, the good, the bad and the ugly seems like as good a place as any to start. Pali Surdhar, chief security officer at nCipher, has the first two covered.
"Security boundaries are blurring due to the ubiquity and accessibility of computing systems, from mobile devices to cloud based systems. It is also good to have a suggested framework or guidance to address the challenges in the changed landscape," Surdhar said, explaining the good part.
"The framework provided is not backed by a threat model that would allow prioritisation of implementation and management of risk," Surdhar concluded.
Dave Klein, senior director of cyber-security at Guardicore, explained the ‘ugly’ part to SC Media UK.
"A Google search on 'Zero Trust 101' will show us that every cyber-security vendor is mapping to it. While we could say it is a victim of its own success, it can be a bit overwhelming for the enterprise to sort through."
Like any buzzword, zero trust risks being overused to the point it can become meaningless, warned Greg Iddon, senior manager of the Sophos product team.
"Thankfully, at the core of Zero Trust are strong principles that are a natural evolution of how we secure IT today. I believe it could become the norm in a few years," he said.
Tim Brown, VP of security at SolarWinds MSP, agrees to the fact that zero trust is a must for cyber-security.
"Without it, you end up with disconnected and unmeasurable security models across your environment. Infosec professionals know this, but they also see the reality: change takes time and money, and not every application can support zero trust."
Ciaran Durnin, security architect at Fujitsu UK, is cautiously optimistic when it comes to zero trust.
"The principles behind zero trust are solid. We see this across the cyber-landscape with many vendors developing tools to provide just-in-time access and the correct access for a specific task. Implementing such tools often pose significant challenges in organisations, as they uncover numerous people and process gaps. These gaps lead to programmes being over budget, which then challenges the efficacy of the tooling and potentially jeopardises future security spending."
NetFoundry CEO Galeal Zino too argues that a zero-trust model is mandatory if we follow the first principles, and that's why the concept is being pushed by infosec professionals.
“Implementing it across a wide-area service meshes comprised of cloud (incl. multi/hybrid), IoT, B2B and connected supply chains is where we run into challenges posed by legacy, and widely accepted, networking methods which are incompatible to zero trust," Zino pointed out.
"Methods and technologies such as MPLS WAN, SD-WAN and VPN operate at a coarser level than core requirements of zero trust. They inherently trust the network layer rather than assuming the users and apps are guilty until proven innocent, regardless of what network they traverse."
This means that trying to layer zero trust onto them means bespoke, complex and costly solutions for different environments without the ability to automate and integrate it into the app. "Evolving to a zero trust architecture requires a paradigm shift," Zino concluded.
Gordon adds, “Organisations interested in exploring Zero Trust Network Access (ZTNA) ZTNA should seek a solution that works in parallel with a perimeter-based VPN to gain essential operational flexibility for enterprises and service providers supporting data centre and multi-cloud environments.”
The fact remains that many infosecurity professionals are still unsure of their ability to implement a zero trust model. However, zero-trust systems already exist in some form or the other in these firms, said Mark Loveless, security researcher and engineer at GitLab.
“Oddly enough, most organisations usually end up doing something that could be considered 'zero trust' even if they don’t intend to. The main thing is to make a list of what you want to accomplish from a security standpoint or posture, break it into chunks, and tackle each chunk, Loveless said, explaining his experience at GitLab
"We’ve used the framework of zero trust to make sure those chunks can do the talking and interacting needed to allow a smoother and more acceptable system for both users and administrators."