To Succeed With Zero Trust, First Define Success

Uploaded on 2023-06-12 in TECHNOLOGY--Resilience, FREE TO VIEW

Zero Trust is quickly becoming the gold standard cybersecurity approach for organizations, but it is still no silver bullet. While the fundamental concept of Zero Trust has been with us for a long time, recent years have seen a growing body of thinking about how to implement it as well as an ever-evolving, increasingly complex threat landscape as corporate IT infrastructure has become more diffuse through the adoption of cloud and remote working tools.

As a result, Zero Trust today comes with a convincing pitch: By focusing on business assets (especially data) rather than just the perimeter, security teams can work to ensure that assets are protected proportionally to their business value and risk, allowing better prioritization of security spending and investment.

This of course means that business value and risk are communicated in the same language (i.e., currency) to allow effective comparisons, highlighting the need to cyber risk quantification (CRQ), such as the Open FAIR™ methodology.

All of this is, in a narrow sense, perfectly true. However, the problem comes when the persuasiveness of this pitch and the frequency with which it is repeated by industry professionals and vendors gives organizations a false sense of security.

The truth is that no strategy, whether based on Zero Trust or any other approach, will be successful 100% of the time. Breaches will happen; teams that work on that assumption are likely to be in a much better place to respond than teams that don’t.

Rethinking Success

However, that simple fact raises a serious question: If successfully implementing Zero Trust does not mean absolute protection against attack – and if teams should not be setting absolute protection as their goal – how should they outline and measure what a successful implementation does look like?

When well-executed, Zero Trust strengthens an organization’s security posture, reducing the blast radius of inevitable breaches. This means that even if a breach is successful, the impact of that breach will be localized and prevented from spreading.

There are also many ways that Zero Trust can fail, though, which go beyond the issue of over-confidence. For example, users have been trained for a long time, by both business and consumer technology, to work and think in terms of traditional security approaches. If they are surprised by a new requirement for continuous identity checks, rather than a single handshake at the security perimeter, the result can be frustration and, ultimately, non-compliance which entirely undermines any security protocol.

Likewise, retrofitting a Zero Trust framework into an existing suite of security tools and processes may require reworking and reconfiguring the incumbent approach. Some tools will stay in place, being complemented or enhanced by Zero Trust solutions, while others may be removed or replaced. Understanding which is which and acting accordingly can be a significant investment and requires early buy-in from business leaders, as a partial process can result in a more vulnerable cybersecurity posture than the organization started with.

Any Zero Trust initiative also needs to be prepared to call on the full spectrum of talent needed to design, implement, and manage it appropriately. Beyond a strategic direction set by security leadership, the process will require the input of specialized enterprise architects and security architects who know how to both verify the appropriateness of vendors’ offerings and translate those capabilities onto the organization’s technical estate and the employees’ cultural assumptions and ways of working.

Overconfidence, user behavior, leadership buy-in, skills and talent: all of these come back to defining what success means for Zero Trust ahead of implementation. With a clear idea of a destination and an understanding of the journey required, organizations can plan for security failures, modern working patterns, transformation timelines, and well-informed decision-making.

The Right Input Makes For A Successful Output

While vendors and professionals may express differing ideas about what “good” Zero Trust looks like, organizations can turn to vendor-neutral sources like the NIST® SP 800-207 and the 'Zero Trust Commandments' from The Open Group, which approach the topic with the level of granularity that practitioners need to make informed decisions about implementing Zero Trust.

For example, if focusing just on the possible pitfalls discussed above, the Zero Trust Commandments establish a foundation for security teams to ‘Assume Failure and Assume Success’, meaning that breaches are inevitable (if not already occurring) and that the organization can and will recover from them.

The Commandments advocate for ‘Enabling Modern Work’, supporting productive behavior that is also secure and does not unnecessarily inhibit productivity. The Commandments also encourage viewing security as a ‘Continuous Journey’ with an initial investment that may result in disruption but will result in improvements worth the disruption. And, they stipulate that security teams ‘Make Informed Decisions’ on the basis of the best information that can be made available.

These are just a few details of the Zero Trust Commandments; taken collectively, they – and other neutral standards documents – can put organizations further along the road of truly successful Zero Trust Architecture implementation from day one.

John Linford is Security & OTTF Forum Director at The Open Group

You Might Also Read:

PAM, IAM, Or Both?:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.