To Succeed With Zero Trust, First Define Success

Zero Trust is quickly becoming the gold standard cybersecurity approach for organizations, but it is still no silver bullet. While the fundamental concept of Zero Trust has been with us for a long time, recent years have seen a growing body of thinking about how to implement it as well as an ever-evolving, increasingly complex threat landscape as corporate IT infrastructure has become more diffuse through the adoption of cloud and remote working tools.

As a result, Zero Trust today comes with a convincing pitch: By focusing on business assets (especially data) rather than just the perimeter, security teams can work to ensure that assets are protected proportionally to their business value and risk, allowing better prioritization of security spending and investment.

This of course means that business value and risk are communicated in the same language (i.e., currency) to allow effective comparisons, highlighting the need to cyber risk quantification (CRQ), such as the Open FAIR™ methodology.

All of this is, in a narrow sense, perfectly true. However, the problem comes when the persuasiveness of this pitch and the frequency with which it is repeated by industry professionals and vendors gives organizations a false sense of security.

The truth is that no strategy, whether based on Zero Trust or any other approach, will be successful 100% of the time. Breaches will happen; teams that work on that assumption are likely to be in a much better place to respond than teams that don’t.

Rethinking Success

However, that simple fact raises a serious question: If successfully implementing Zero Trust does not mean absolute protection against attack – and if teams should not be setting absolute protection as their goal – how should they outline and measure what a successful implementation does look like?

When well-executed, Zero Trust strengthens an organization’s security posture, reducing the blast radius of inevitable breaches. This means that even if a breach is successful, the impact of that breach will be localized and prevented from spreading.

There are also many ways that Zero Trust can fail, though, which go beyond the issue of over-confidence. For example, users have been trained for a long time, by both business and consumer technology, to work and think in terms of traditional security approaches. If they are surprised by a new requirement for continuous identity checks, rather than a single handshake at the security perimeter, the result can be frustration and, ultimately, non-compliance which entirely undermines any security protocol.

Likewise, retrofitting a Zero Trust framework into an existing suite of security tools and processes may require reworking and reconfiguring the incumbent approach. Some tools will stay in place, being complemented or enhanced by Zero Trust solutions, while others may be removed or replaced. Understanding which is which and acting accordingly can be a significant investment and requires early buy-in from business leaders, as a partial process can result in a more vulnerable cybersecurity posture than the organization started with.

Any Zero Trust initiative also needs to be prepared to call on the full spectrum of talent needed to design, implement, and manage it appropriately. Beyond a strategic direction set by security leadership, the process will require the input of specialized enterprise architects and security architects who know how to both verify the appropriateness of vendors’ offerings and translate those capabilities onto the organization’s technical estate and the employees’ cultural assumptions and ways of working.

Overconfidence, user behavior, leadership buy-in, skills and talent: all of these come back to defining what success means for Zero Trust ahead of implementation. With a clear idea of a destination and an understanding of the journey required, organizations can plan for security failures, modern working patterns, transformation timelines, and well-informed decision-making.

The Right Input Makes For A Successful Output

While vendors and professionals may express differing ideas about what “good” Zero Trust looks like, organizations can turn to vendor-neutral sources like the NIST® SP 800-207 and the 'Zero Trust Commandments' from The Open Group, which approach the topic with the level of granularity that practitioners need to make informed decisions about implementing Zero Trust.

For example, if focusing just on the possible pitfalls discussed above, the Zero Trust Commandments establish a foundation for security teams to ‘Assume Failure and Assume Success’, meaning that breaches are inevitable (if not already occurring) and that the organization can and will recover from them.

The Commandments advocate for ‘Enabling Modern Work’, supporting productive behavior that is also secure and does not unnecessarily inhibit productivity. The Commandments also encourage viewing security as a ‘Continuous Journey’ with an initial investment that may result in disruption but will result in improvements worth the disruption. And, they stipulate that security teams ‘Make Informed Decisions’ on the basis of the best information that can be made available.

These are just a few details of the Zero Trust Commandments; taken collectively, they – and other neutral standards documents – can put organizations further along the road of truly successful Zero Trust Architecture implementation from day one.

John Linford is Security & OTTF Forum Director at The Open Group

You Might Also Read:

PAM, IAM, Or Both?:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible



 

« Play Ransomware Gang Attack A Spanish Bank
Exploring The Benefits Of Continuous Compliance »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

ON-DEMAND WEBINAR: How to build and implement an effective endpoint detection and response strategy

ON-DEMAND WEBINAR: How to build and implement an effective endpoint detection and response strategy

Discover how you can implement endpoint detection and response (EDR) tools into your security strategy.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Varonis

Varonis

Varonis provide a security software platform to let organizations track, visualize, analyze and protect their unstructured data.

FIRST Conference

FIRST Conference

Annual conference organised by the Forum of Incident Response and Security Teams (FIRST), a recognized global leader in computer incident response.

Australian Cyber Security Growth Network (AustCyber)

Australian Cyber Security Growth Network (AustCyber)

AustCyber brings together businesses and researchers to develop the next generation of cyber security products and services.

NordForsk

NordForsk

NordForsk facilitates and provides funding for Nordic research cooperation and research infrastructure. Project areas include digitalisation and digital security.

SailPoint

SailPoint

SailPoint provides identity governance solutions with on-premises and cloud-based identity management software for the most complex challenges.

Claranet

Claranet

Claranet are experts in modernising and running critical applications and infrastructure through end-to-end professional services, managed services and training.

Cylus

Cylus

Cylus, a global leader in rail cybersecurity, helps rail and metro companies avoid safety incidents and service disruptions caused by cyber-attacks.

Cequence Security

Cequence Security

Cequence secures web, mobile, and API applications. We discover all apps, detect malicious bots, and stop attacks with an AI-integrated security platform.

Institute of Informatics and Telematics (IIT)

Institute of Informatics and Telematics (IIT)

IIT carries out activities of research, assessment, technology transfer and training in the field of Information and Communication Technologies and of Computational Sciences.

eXate

eXate

eXate provides pioneering technology that empowers organisations to protect, control and manage their sensitive data centrally, providing a complete data privacy solution.

DKBInnovative

DKBInnovative

DKBinnovative is a best-practice driven IT management firm that provides secure, reliable IT solutions to productivity-focused clients around the globe.

OWN

OWN

OWN (formerly SEKOIA) is a major French player in cybersecurity providing tailor-made, informed and adapted cyber support thanks to its DNA of passionate and committed experts.

CWSI

CWSI

CWSI provide a full suite of enterprise mobility, security and productivity solutions to many of Ireland and the UK’s most respected organisations across a wide range of industry and public sectors.

SandboxAQ

SandboxAQ

SandboxAQ is an enterprise SaaS company combining AI + Quantum tech to solve hard problems impacting society.

Intigriti

Intigriti

Intigriti helps companies protect themselves from cybercrime. Our community of ethical hackers provides continuous, realistic security testing to protect our customer’s assets and brand.

BetterWorld Technology

BetterWorld Technology

BetterWorld Technology provides cloud solutions, managed services, SaaS, cybersecurity and virtual CIO, all customized to meet your needs.