To Succeed With Zero Trust, First Define Success

Zero Trust is quickly becoming the gold standard cybersecurity approach for organizations, but it is still no silver bullet. While the fundamental concept of Zero Trust has been with us for a long time, recent years have seen a growing body of thinking about how to implement it as well as an ever-evolving, increasingly complex threat landscape as corporate IT infrastructure has become more diffuse through the adoption of cloud and remote working tools.

As a result, Zero Trust today comes with a convincing pitch: By focusing on business assets (especially data) rather than just the perimeter, security teams can work to ensure that assets are protected proportionally to their business value and risk, allowing better prioritization of security spending and investment.

This of course means that business value and risk are communicated in the same language (i.e., currency) to allow effective comparisons, highlighting the need to cyber risk quantification (CRQ), such as the Open FAIR™ methodology.

All of this is, in a narrow sense, perfectly true. However, the problem comes when the persuasiveness of this pitch and the frequency with which it is repeated by industry professionals and vendors gives organizations a false sense of security.

The truth is that no strategy, whether based on Zero Trust or any other approach, will be successful 100% of the time. Breaches will happen; teams that work on that assumption are likely to be in a much better place to respond than teams that don’t.

Rethinking Success

However, that simple fact raises a serious question: If successfully implementing Zero Trust does not mean absolute protection against attack – and if teams should not be setting absolute protection as their goal – how should they outline and measure what a successful implementation does look like?

When well-executed, Zero Trust strengthens an organization’s security posture, reducing the blast radius of inevitable breaches. This means that even if a breach is successful, the impact of that breach will be localized and prevented from spreading.

There are also many ways that Zero Trust can fail, though, which go beyond the issue of over-confidence. For example, users have been trained for a long time, by both business and consumer technology, to work and think in terms of traditional security approaches. If they are surprised by a new requirement for continuous identity checks, rather than a single handshake at the security perimeter, the result can be frustration and, ultimately, non-compliance which entirely undermines any security protocol.

Likewise, retrofitting a Zero Trust framework into an existing suite of security tools and processes may require reworking and reconfiguring the incumbent approach. Some tools will stay in place, being complemented or enhanced by Zero Trust solutions, while others may be removed or replaced. Understanding which is which and acting accordingly can be a significant investment and requires early buy-in from business leaders, as a partial process can result in a more vulnerable cybersecurity posture than the organization started with.

Any Zero Trust initiative also needs to be prepared to call on the full spectrum of talent needed to design, implement, and manage it appropriately. Beyond a strategic direction set by security leadership, the process will require the input of specialized enterprise architects and security architects who know how to both verify the appropriateness of vendors’ offerings and translate those capabilities onto the organization’s technical estate and the employees’ cultural assumptions and ways of working.

Overconfidence, user behavior, leadership buy-in, skills and talent: all of these come back to defining what success means for Zero Trust ahead of implementation. With a clear idea of a destination and an understanding of the journey required, organizations can plan for security failures, modern working patterns, transformation timelines, and well-informed decision-making.

The Right Input Makes For A Successful Output

While vendors and professionals may express differing ideas about what “good” Zero Trust looks like, organizations can turn to vendor-neutral sources like the NIST® SP 800-207 and the 'Zero Trust Commandments' from The Open Group, which approach the topic with the level of granularity that practitioners need to make informed decisions about implementing Zero Trust.

For example, if focusing just on the possible pitfalls discussed above, the Zero Trust Commandments establish a foundation for security teams to ‘Assume Failure and Assume Success’, meaning that breaches are inevitable (if not already occurring) and that the organization can and will recover from them.

The Commandments advocate for ‘Enabling Modern Work’, supporting productive behavior that is also secure and does not unnecessarily inhibit productivity. The Commandments also encourage viewing security as a ‘Continuous Journey’ with an initial investment that may result in disruption but will result in improvements worth the disruption. And, they stipulate that security teams ‘Make Informed Decisions’ on the basis of the best information that can be made available.

These are just a few details of the Zero Trust Commandments; taken collectively, they – and other neutral standards documents – can put organizations further along the road of truly successful Zero Trust Architecture implementation from day one.

John Linford is Security & OTTF Forum Director at The Open Group

You Might Also Read:

PAM, IAM, Or Both?:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible



 

« Play Ransomware Gang Attack A Spanish Bank
Exploring The Benefits Of Continuous Compliance »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Secure Thingz

Secure Thingz

Secure Thingz focus on developing and delivering advanced security solutions into the emerging Industrial Internet of Things (IIoT) and Critical Infrastructure markets.

Zanasi & Partners

Zanasi & Partners

Zanasi & Partners is a security research and advisory company active in the EU and MENA areas. Services focus on technology solutions.

Corvid

Corvid

Corvid is an experienced team of cyber security experts who are passionate about delivering innovative, robust and extensive defence systems to help protect businesses against cyber threats.

National Forensic Sciences University (NFSU)

National Forensic Sciences University (NFSU)

National Forensic Sciences University is the world’s first and only University dedicated to Digital Forensic and allied Sciences.

Dutch Innovation Park

Dutch Innovation Park

Dutch Innovation Park in Zoetermeer is a breeding ground for applied IT solutions in the field of cyber security, e-health, smart mobility and big data.

Defensity

Defensity

Defensity offer bespoke & pre packaged IT Security Solutions for Small business to help companies reduce overall IT related risk.

3B Data Security

3B Data Security

3B Data Security offer a range of Penetration Testing, Digital Forensics, Incident Response and Data Breach Management Services.

National Security Services Group (NSSG)

National Security Services Group (NSSG)

National Security Services Group (NSSG) is Oman's leading and only proprietary Cybersecurity consultancy firm and Managed Security Services Provider.

Nitel

Nitel

Nitel is a leading next-generation technology services provider. We simplify the complex technology challenges of today’s enterprises to create seamless and integrated managed network solutions.

Infosys

Infosys

Infosys is a global leader in consulting, technology and outsourcing solutions.. Services include IT strategy, technical architecture and operations including cybersecurity.

Acronis

Acronis

At Acronis, we protect the data, applications, systems and productivity of every organization – safeguarding them against cyberattacks, hardware failures, natural disasters and human errors.

Nortal

Nortal

Nortal is a strategic digital transformation partner for leading companies and governments around the world.

Sequentur

Sequentur

Sequentur is an award-winning Managed IT Services company. We are SOC 2 certified and provide Managed IT Services and Cybersecurity services to businesses nationwide.

Reaktr.ai

Reaktr.ai

Reaktr.ai is founded on the vision of using AI as a catalyst to propel industries into a future where we redefine what's possible. Fortify your cybersecurity defense with our AI-powered platform.

Reality Defender

Reality Defender

Reality Defender stops deepfakes before they become a problem. Our proprietary deepfake and generative content fingerprinting technology detects video, audio, and image deepfakes.

Invisily

Invisily

Invisily makes enterprise and cloud computing resources invisible to attackers with zero trust solutions, making them visible only when needed to only those who need them.