To Succeed With Zero Trust, First Define Success

Zero Trust is quickly becoming the gold standard cybersecurity approach for organizations, but it is still no silver bullet. While the fundamental concept of Zero Trust has been with us for a long time, recent years have seen a growing body of thinking about how to implement it as well as an ever-evolving, increasingly complex threat landscape as corporate IT infrastructure has become more diffuse through the adoption of cloud and remote working tools.

As a result, Zero Trust today comes with a convincing pitch: By focusing on business assets (especially data) rather than just the perimeter, security teams can work to ensure that assets are protected proportionally to their business value and risk, allowing better prioritization of security spending and investment.

This of course means that business value and risk are communicated in the same language (i.e., currency) to allow effective comparisons, highlighting the need to cyber risk quantification (CRQ), such as the Open FAIR™ methodology.

All of this is, in a narrow sense, perfectly true. However, the problem comes when the persuasiveness of this pitch and the frequency with which it is repeated by industry professionals and vendors gives organizations a false sense of security.

The truth is that no strategy, whether based on Zero Trust or any other approach, will be successful 100% of the time. Breaches will happen; teams that work on that assumption are likely to be in a much better place to respond than teams that don’t.

Rethinking Success

However, that simple fact raises a serious question: If successfully implementing Zero Trust does not mean absolute protection against attack – and if teams should not be setting absolute protection as their goal – how should they outline and measure what a successful implementation does look like?

When well-executed, Zero Trust strengthens an organization’s security posture, reducing the blast radius of inevitable breaches. This means that even if a breach is successful, the impact of that breach will be localized and prevented from spreading.

There are also many ways that Zero Trust can fail, though, which go beyond the issue of over-confidence. For example, users have been trained for a long time, by both business and consumer technology, to work and think in terms of traditional security approaches. If they are surprised by a new requirement for continuous identity checks, rather than a single handshake at the security perimeter, the result can be frustration and, ultimately, non-compliance which entirely undermines any security protocol.

Likewise, retrofitting a Zero Trust framework into an existing suite of security tools and processes may require reworking and reconfiguring the incumbent approach. Some tools will stay in place, being complemented or enhanced by Zero Trust solutions, while others may be removed or replaced. Understanding which is which and acting accordingly can be a significant investment and requires early buy-in from business leaders, as a partial process can result in a more vulnerable cybersecurity posture than the organization started with.

Any Zero Trust initiative also needs to be prepared to call on the full spectrum of talent needed to design, implement, and manage it appropriately. Beyond a strategic direction set by security leadership, the process will require the input of specialized enterprise architects and security architects who know how to both verify the appropriateness of vendors’ offerings and translate those capabilities onto the organization’s technical estate and the employees’ cultural assumptions and ways of working.

Overconfidence, user behavior, leadership buy-in, skills and talent: all of these come back to defining what success means for Zero Trust ahead of implementation. With a clear idea of a destination and an understanding of the journey required, organizations can plan for security failures, modern working patterns, transformation timelines, and well-informed decision-making.

The Right Input Makes For A Successful Output

While vendors and professionals may express differing ideas about what “good” Zero Trust looks like, organizations can turn to vendor-neutral sources like the NIST® SP 800-207 and the 'Zero Trust Commandments' from The Open Group, which approach the topic with the level of granularity that practitioners need to make informed decisions about implementing Zero Trust.

For example, if focusing just on the possible pitfalls discussed above, the Zero Trust Commandments establish a foundation for security teams to ‘Assume Failure and Assume Success’, meaning that breaches are inevitable (if not already occurring) and that the organization can and will recover from them.

The Commandments advocate for ‘Enabling Modern Work’, supporting productive behavior that is also secure and does not unnecessarily inhibit productivity. The Commandments also encourage viewing security as a ‘Continuous Journey’ with an initial investment that may result in disruption but will result in improvements worth the disruption. And, they stipulate that security teams ‘Make Informed Decisions’ on the basis of the best information that can be made available.

These are just a few details of the Zero Trust Commandments; taken collectively, they – and other neutral standards documents – can put organizations further along the road of truly successful Zero Trust Architecture implementation from day one.

John Linford is Security & OTTF Forum Director at The Open Group

You Might Also Read:

PAM, IAM, Or Both?:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible



 

« Play Ransomware Gang Attack A Spanish Bank
Exploring The Benefits Of Continuous Compliance »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Cyber adAPT

Cyber adAPT

Cyber adAPT offers a leading network threat detection platform (NTD) to the enterprise and ODM/OEM markets.

Cybertrust Japan

Cybertrust Japan

Cybertrust Japan provides a comprehensive security certification and digital authentication service, enabling customers to build and manage highly secure IT infrastructures.

CUIng.org

CUIng.org

The CUIng initiative was launched to tackle the problem of criminal exploitation of information hiding techniques.

ESTsecurity

ESTsecurity

ESTsecurity is a leading company in cyber security providing intelligent security solutions to make world more secure.

Zerocopter

Zerocopter

Zerocopter enables you to confidently leverage the skills of the world's most knowledgable ethical hackers to secure your applications.

VietSunshine

VietSunshine

VietSunshine is a leading provider of network security infrastructure and solutions in Vietnam.

certSIGN

certSIGN

certSIGN develop innovative software for information security and information systems protection.

Perseus Cyber Security

Perseus Cyber Security

Perseus provides all-around digital protection for small and medium-sized businesses through state-of-the-art software solutions, flexible online training and emergency response.

Edgile

Edgile

Edgile is the trusted cyber risk and regulatory compliance partner to the world’s leading organizations, providing consulting, managed services, and harmonized regulatory content.

Tego Cyber

Tego Cyber

Tego Cyber delivers a state-of-the-art threat intelligence platform that helps enterprises deploy the proper resolution to an identified threat before the enterprise is compromised.

Abertay cyberQuarter

Abertay cyberQuarter

The Abertay cyberQuarter is a cybersecurity research and development centre housed within Abertay University.

Banyax

Banyax

Banyax provides 24×7 real-time Cyber Defense Center Services using the latest technology tools to provide state-of-the-art defense.

Lab 1

Lab 1

Lab 1 turns criminal data breaches and attacks into insights. Get alerts of data breaches or ransomware attack incidents as they happen.

Tidal Cyber

Tidal Cyber

We formed Tidal for one simple reason—we believe that defenders need and deserve tools and services that make achieving the benefits of threat-informed defense practical and sustainable.

Robust Intelligence

Robust Intelligence

Robust Intelligence enables enterprises to secure their AI transformation with an automated solution to protect against security and safety threats.

AmiViz

AmiViz

AmiViz is the first B2B enterprise marketplace focussed on Cybersecurity business in the Middle East and Africa, designed specially to serve the interests of enterprise resellers and vendors.