Migration to zero trust in practice – including the pitfalls

[harlan4096]

How organizations implement zero-trust principles, and what CISOs advise for project success.
 
This year marks the 15[sup]th[/sup] anniversary of the first guide to implementing the zero trust security concept, which, according to a Gartner survey, almost two-thirds of surveyed organizations have adopted to some extent. Admittedly (in the same Gartner survey), for 58% of them this transition is far from complete, with zero trust covering less than half of infrastructure. Most organizations are still at the stage of piloting solutions and building the necessary infrastructure. To join the vanguard, you need to plan the transition to zero trust with eyes wide open to the obstacles that lie ahead, and to understand how to overcome them.

Zero trust best practices

Zero trust is a security architecture that views all connections, devices, and applications as untrusted and potentially compromised — even if they’re part of the organization’s internal infrastructure. Zero trust solutions deliver continuous adaptive protection by re-verifying every connection and transaction based on a potentially changed security context. This way, companies can mold their information security to the real-world conditions of hybrid cloud infrastructures and remote working.

In addition to the oldest and best-known guidelines, such as Forrester’s first report and Google’s BeyondCorp, the components of zero trust are detailed in NIST SP 800-207 (Zero Trust Architecture), while the separate NIST SP 1800-35B offers implementation recommendations. There are also guidelines that map specific infosec measures and tools to the zero trust methodology, such as CIS Controls v8. CISA offers a handy maturity model, though it’s primarily optimized for government agencies.

In practice, zero trust implementation rarely follows the rule book, and many CISOs end up having to mix and match recommendations from these guidance documents with the guidelines of their key IT suppliers (for example, Microsoft), prioritizing and selecting measures based on their specific situation.

What’s more, all these guides are less than forthcoming in describing the complexities of implementation.

Executive buy-in

Zero trust migration isn’t purely a technical project, and therefore requires substantial support on the administrative and executive levels. In addition to investing in software, hardware, and user training, it demands significant effort from various departments, including HR. Company leadership needs to understand why the changes are needed and what they’ll bring to the business.

To get across the value and importance of a project, the “incident cost” or “value at risk” needs to be clearly communicated on the one hand, as do the new business opportunities on the other. For example, zero trust protection can enable broader use of SaaS services, employee-owned devices, and cost-effective network organization solutions.

Alongside on-topic meetings, this idea should be reinforced through specialized cybersecurity training for executives. Not only does such training instill specific infosec skills, it also allows your company to run through crisis management and other scenarios in a cyberattack situation — often using specially designed business games.

Continue Reading...