To Succeed With Zero Trust, First Define Success

Zero Trust is quickly becoming the gold standard cybersecurity approach for organizations, but it is still no silver bullet. While the fundamental concept of Zero Trust has been with us for a long time, recent years have seen a growing body of thinking about how to implement it as well as an ever-evolving, increasingly complex threat landscape as corporate IT infrastructure has become more diffuse through the adoption of cloud and remote working tools.

As a result, Zero Trust today comes with a convincing pitch: By focusing on business assets (especially data) rather than just the perimeter, security teams can work to ensure that assets are protected proportionally to their business value and risk, allowing better prioritization of security spending and investment.

This of course means that business value and risk are communicated in the same language (i.e., currency) to allow effective comparisons, highlighting the need to cyber risk quantification (CRQ), such as the Open FAIR™ methodology.

All of this is, in a narrow sense, perfectly true. However, the problem comes when the persuasiveness of this pitch and the frequency with which it is repeated by industry professionals and vendors gives organizations a false sense of security.

The truth is that no strategy, whether based on Zero Trust or any other approach, will be successful 100% of the time. Breaches will happen; teams that work on that assumption are likely to be in a much better place to respond than teams that don’t.

Rethinking Success

However, that simple fact raises a serious question: If successfully implementing Zero Trust does not mean absolute protection against attack – and if teams should not be setting absolute protection as their goal – how should they outline and measure what a successful implementation does look like?

When well-executed, Zero Trust strengthens an organization’s security posture, reducing the blast radius of inevitable breaches. This means that even if a breach is successful, the impact of that breach will be localized and prevented from spreading.

There are also many ways that Zero Trust can fail, though, which go beyond the issue of over-confidence. For example, users have been trained for a long time, by both business and consumer technology, to work and think in terms of traditional security approaches. If they are surprised by a new requirement for continuous identity checks, rather than a single handshake at the security perimeter, the result can be frustration and, ultimately, non-compliance which entirely undermines any security protocol.

Likewise, retrofitting a Zero Trust framework into an existing suite of security tools and processes may require reworking and reconfiguring the incumbent approach. Some tools will stay in place, being complemented or enhanced by Zero Trust solutions, while others may be removed or replaced. Understanding which is which and acting accordingly can be a significant investment and requires early buy-in from business leaders, as a partial process can result in a more vulnerable cybersecurity posture than the organization started with.

Any Zero Trust initiative also needs to be prepared to call on the full spectrum of talent needed to design, implement, and manage it appropriately. Beyond a strategic direction set by security leadership, the process will require the input of specialized enterprise architects and security architects who know how to both verify the appropriateness of vendors’ offerings and translate those capabilities onto the organization’s technical estate and the employees’ cultural assumptions and ways of working.

Overconfidence, user behavior, leadership buy-in, skills and talent: all of these come back to defining what success means for Zero Trust ahead of implementation. With a clear idea of a destination and an understanding of the journey required, organizations can plan for security failures, modern working patterns, transformation timelines, and well-informed decision-making.

The Right Input Makes For A Successful Output

While vendors and professionals may express differing ideas about what “good” Zero Trust looks like, organizations can turn to vendor-neutral sources like the NIST® SP 800-207 and the 'Zero Trust Commandments' from The Open Group, which approach the topic with the level of granularity that practitioners need to make informed decisions about implementing Zero Trust.

For example, if focusing just on the possible pitfalls discussed above, the Zero Trust Commandments establish a foundation for security teams to ‘Assume Failure and Assume Success’, meaning that breaches are inevitable (if not already occurring) and that the organization can and will recover from them.

The Commandments advocate for ‘Enabling Modern Work’, supporting productive behavior that is also secure and does not unnecessarily inhibit productivity. The Commandments also encourage viewing security as a ‘Continuous Journey’ with an initial investment that may result in disruption but will result in improvements worth the disruption. And, they stipulate that security teams ‘Make Informed Decisions’ on the basis of the best information that can be made available.

These are just a few details of the Zero Trust Commandments; taken collectively, they – and other neutral standards documents – can put organizations further along the road of truly successful Zero Trust Architecture implementation from day one.

John Linford is Security & OTTF Forum Director at The Open Group

You Might Also Read:

PAM, IAM, Or Both?:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible



 

« Play Ransomware Gang Attack A Spanish Bank
Exploring The Benefits Of Continuous Compliance »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

AVR International

AVR International

AVR educate, advise, analyse and provide professional, technical consultancy and support to ensure your business is safe, compliant and protected.

Intersec Worldwide

Intersec Worldwide

Intersec Worldwide is a boutique Information Security Firm specializing in PCI Compliance, Assessment, Remediation, Forensics, Data Breach Investigations, Incident Response and IT Managed Services.

H-11 Digital Forensics

H-11 Digital Forensics

H-11 Digital Forensics is a global leader of digital forensic technology.

NetSecurity

NetSecurity

NetSecurity is a Brazilian company specializing in Information Security. We provide Managed Security Services (MSS), network security solutions and other specialist services.

Scarlett Cybersecurity

Scarlett Cybersecurity

Scarlett Cybersecurity provide cybersecurity services to US private and public organizations with specific emphasis on compliance and cybersecurity incident prevention, detection, and response.

Titan Labs

Titan Labs

Titan Labs is a Cyber Security Consultancy that provides advice and technical expertise to government, international finance and telecommunications providers.

Everything Blockchain

Everything Blockchain

Everything Blockchain offer solutions that transform enterprise data-management capabilities. Increased efficiency, super-charged performance and all with government grade security.

Opora

Opora

Opora is the leading cybersecurity provider of adversary behavior analytics “ABA” and preemptive security solutions.

Recon InfoSec

Recon InfoSec

The Recon InfoSec team includes analysts, architects, engineers, intrusion specialists, penetration testers, and operations experts.

CertiProf

CertiProf

CertiProf has been enhancing professional lives since 2015, offering a wide range of IT certifications and agile framework training.

Fullstack Academy

Fullstack Academy

A trailblazer in bootcamp education, Fullstack Academy prepares students for fulfilling careers in tech through our NYC campus, online learning, and university partnerships.

Strivacity

Strivacity

Strivacity lets brands quickly add secure login and identity management capabilities to their customer-facing applications without tying up an army of developers or consultants to do it.

LaScala

LaScala

LaScala is an IT Managed Services provider delivering technical, security, and compliance solutions with dedication, compassion, and agility.

Galvanick

Galvanick

Galvanick enables your operations and IT teams to protect your industrial systems and networks against digital threats.

Secure Halo

Secure Halo

Secure Halo has been protecting the intellectual assets and sensitive information of the federal government and private sector for 20+ years, through our proactive approach to risk and cybersecurity.

Vambrace Cybersecurity

Vambrace Cybersecurity

Vambrace is an experienced cybersecurity consultancy and operations outsourcer helping you to secure your business in an increasingly-hostile cyber environment.