Zero Trust is Not a SKU – It’s a Journey Well Worth Undertaking

Zero trust is the security buzzword of the moment, and while it is a very powerful approach, nearly every enterprise security product on the market – and some that aren’t even security products — are saying they enable zero trust. This is particularly prevalent in the marketing of multi-factor authentication (MFA) platforms and endpoint protection (EPP)/endpoint detection and response (EDR) point solutions, but it’s by no means limited to them.

The problem is this: you cannot buy zero trust.

Zero trust is an approach, an architecture, and a journey, not software, hardware, or a service to deploy. And it’s popular because zero trust hardens security by denying access by default and only allowing access according to policies based on the Principal of Least Privilege. If there is a breach, micro-segmentation prevents threats from moving laterally across the network, containing the damage and minimizing the blast radius. Zero Trust also allows companies to explore retiring large parts of their existing traditional network and infrastructure in favor of more commodity (read: less expensive) solutions such as public internet links vs. MPLS circuits. It also improves productivity, because when properly implemented, accessing digital assets is frictionless in zero trust, so long as one is authorized to do so.

Certainly, you build a zero trust architecture with products. But buying and deploying those products isn’t enough, and it’s not the hard part. It would be like saying you’ve updated your home from mid-century modern to contemporary by buying a bright blue piece of art. There’s so much more to zero trust than its components.

First, your organization must have strong security fundamentals. Good IT hygiene may not be particularly sexy, but nothing provides a stronger security ROI than proper, consistent management of assets, patches, and privileges.

The organization also needs to secure broad C-level support for the project. The path to zero trust is not always smooth. It’s a wholesale change in how a company approaches security – a complete flip of the table. The organization will frequently find itself taking two steps back to take three steps forward, and people will get frustrated. Only strong leadership and commitment from the most senior levels will enable the company to persevere.

Next, establish “birthright” access for every role, which defines the default access an individual should have when they join the team at a specific level. It’s a complex task, but necessary to inform the policies that zero trust will enforce.

Once these goals have been achieved, only then should an organization begin buying, deploying, and assembling the components. Without this foundation, it doesn’t matter how strong the components are — you’ll never achieve zero trust. Reader beware, zero trust is often like a canary in a coalmine for all the basics you may not be good at. Once you roll out all those agents and tools for MFA, EPP/EDR, SWG, SDP, etc., those tools will need to actually DO something — and that signaling comes from your source systems such as asset management, identity management, etc. In the legacy world, not having accurate CMDB typically doesn’t have operational implications, but in the zero trust world if the data is inaccurate, the application may simply not work. Be good at the basics!

Throughout the process, leadership must continually communicate the benefits that zero trust will bring to everyone. Zero trust is unique among security initiatives in that it can reduce cost, improve security, and increase productivity. Typically, one can only achieve two out of three, at best.

It’s important to keep in mind that the zero trust journey is never truly over. The organization will continue to learn and make improvements. So be careful not to go off track: nurture that C-level commitment to zero trust, pay attention to IT security fundamentals and don’t fall for expansive marketing claims about how a single SKU will act as a shortcut to zero trust.

There are no shortcuts. Zero trust is a journey — but it’s one that is well worth undertaking.

To learn more about getting started on your organization’s zero trust journey, visit us here.