Zero trust has long been touted as a key component of effective security. Its importance has increased significantly in recent years with the rise of remote, mobile, edge and cloud computing models. In practice, however, zero trust is difficult to achieve.
A new report from Accenture found that 88 percent of organizations struggle to define zero trust, much less implement it. A lack of clear guidelines, along with technical, operational and cultural challenges, makes the journey to zero trust difficult to navigate.
That’s not to say that organizations have had zero success. A 2024 Gartner survey found that 63 percent of organizations have implemented zero trust to some extent. However, 58 percent are in the early stages of implementation, with less than half of their environments protected by zero trust controls.
Overcoming the hurdles to zero trust starts with understanding that it’s a model, not a solution, and that it must be a strategic initiative, not a tactical deployment. Organizations should identify specific use cases and take a phased approach to zero trust implementation.
Why Is Zero Trust So Difficult?
The zero trust model operates on the principle of “never trust, always verify.” All users, devices and services are untrusted until they are verified and authenticated. Verification is performed for every access request. Access is strictly limited according to least privilege access principles. Zero trust also assumes that a breach has occurred or is in progress, so the environment is monitored continuously for deviations from baseline behavior.
It sounds straightforward, but it’s difficult to put into practice. Despite the claims of some vendors, there isn’t one product that can create a zero trust environment. Zero trust is a framework, and no specification fully defines the elements involved.
While industry frameworks can serve as a starting point, each organization must adapt the model to meet its unique access demands, compliance requirements and other characteristics. Management pushback and cultural changes can also be significant hurdles. Some CISOs have described a comprehensive zero trust deployment as a 10- or 12-year journey.
Starting at the High Level
Given these challenges, the first step is to get buy-in from business leaders. Zero trust is a radical departure from traditional security models, in which users are trusted once they’re inside the network. IT leaders must provide a clear definition of what zero trust means in the context of the organization’s environment, and why it is worth the investment in time and money. That makes it easier to gain approval for the various technology components and operational changes that will be needed.
Operational changes are a critical component. Most organizations have at least some of the technical components of zero trust in place, but they’re not working together in a coordinated way. Organizations need to establish policies for user, device and service identities and processes for governing those identities. Senior management will need to champion that kind of change.
Getting management buy-in becomes somewhat easier if IT strikes a balance between security and efficiency, and develops an implementation plan that minimizes disruption. Starting with quick wins can help garner support for the initiative.
Not a Silver Bullet
Ensuring a high-quality user experience is also important. Users are accustomed to logging in once and gaining access to a wide range of IT resources. Continual validation and monitoring are going to create friction, and least privilege access will prevent users from accessing some resources. IT teams should meet with users to explain the objectives and address any concerns or pain points they may have.
Throughout the process, IT should stress that zero trust is not a silver bullet. Attackers are becoming more adept at defeating access controls such as multifactor authentication. Organizations must continually adapt their zero trust strategy to address the changing threat climate.
Technologent’s security team is here to help you define a zero trust framework that addresses your organization’s unique processes and requirements. We can then help you develop the right policies and procedures, identify the low-hanging fruit, and chart a course to zero trust maturity. We’re here to serve as your trusted partner in enhancing your security posture.
Comments