Zero trust is increasingly being touted as a solution that can fix many of the security problems and weaknesses faced by organizations. But implementing a zero trust model is easier said than done as it requires a rethinking of your entire security posture and environment. A report released Tuesday by identity security firm One Identity looks at the challenges that crop up when organizations seek to adopt zero trust.
SEE: Zero trust security: A cheat sheet (free PDF) (TechRepublic)
To compile its new “Zero Trust and IT Security” report, One Identity commissioned Dimensional Research to conduct a survey of 1,009 IT security professionals to get their opinions on adoption and experiences with zero trust security. The responses came from a variety of industries, countries, and company sizes.
Among the respondents, 75% cited zero trust as critically or very important to their organization’s security posture. Some 24% said it was somewhat important, while only 1% dismissed it as not important.
For most of the organizations polled, zero trust is still a work in progress. Only 14% have already adopted a zero trust model. Among the rest, 39% said that they’ve started their implementation but aren’t finished, 22% plan to set up a full zero trust model within the next 12 months, and 14% said that an implementation is coming but it will take more than 12 months. Just 8% reported no plans to set up zero trust, while 2% didn’t know what zero trust meant.
There’s no one correct approach to kicking off a zero trust initiative. Instead, the respondents pointed to a variety of methods. A full 49% suggested that organizations start by continuously verifying who has access to what and when. Some 48% advised organizations to better monitor user access and privileges, 41% recommended starting by setting up new access management technologies and 35% suggested mapping the traffic of sensitive data.
SEE: 5 tips for implementing a zero trust model (TechRepublic)
Other suggestions for starting a zero trust project were to leverage situational awareness and behavioral monitoring, modify privileges just in time and rearchitect the network. Just 1% said that zero trust lacks clarity, so it’s difficult to know where to start.
Asked how and where their own organization plans to begin with a zero trust initiative, 61% said they would reconfigure access policies, 54% would identify how sensitive data moves throughout the network, 51% would start it by setting up new technology, and 39% would rearchitect the network.
So far, these suggestions and plans all sound viable. So, what’s the problem? First, there’s a lack of complete confidence expressed by the respondents. Just 21% said they were very confident in their organization’s understanding of a zero trust model. Some 69% said they were somewhat confident, 9% had minimal confidence, and 1% had no confidence.
Asked about the barriers they face in establishing a zero trust model, those surveyed cited a host of items.
The two most common barriers were a lack of clarity around how zero trust should be implemented and the requirement of zero trust for ongoing identity and access management, each listed by 32%. The third and fourth reasons were the fact that zero trust security models impact employee productivity and that security staffers are too busy and have other priorities, each cited by 31%.
Other obstacles to kicking off a zero trust initiative were a lack of resources or budget, the challenges in predicting the benefits and building a business use case, the tendency of zero trust to create a siloed approach, and the lack of access to zero trust technology. Only 6% said they faced no barriers to implementing zero trust.
SEE: Why many security pros lack confidence in their implementation of Zero Trust (TechRepublic)
How can an organization surmount some of these hurdles and successfully implement a zero trust model?
“To overcome the primary barriers, organizations need to begin thinking more holistically about Zero Trust by taking a unified approach to identity security,” said Larry Chinski, VP of global IAM strategy at One Identity. “Siloed security management limits visibility and causes gaps, inconsistencies and even more risk—forcing organizations to grant always-on privilege. Therefore, it’s important to implement a cybersecurity strategy that is flexible and dynamic, which is not locked into a specific set of processes or constrained by your hybrid infrastructure.”
Chinski suggests that professionals looking to set up a zero trust model start by addressing the increase in identities in the enterprise, known as identity sprawl. To get rid of excessive trust and privileges across your organization, you need to consider not just human identities but machine identities.
“Overall, the key to successful implementation and deployment of zero trust is to focus on the overall concept of never trust, always verify,” Chinski added. “Third-party sources such as the National Institute of Standards and Technology (NIST) developed standards for Zero Trust implementation based on this concept, allowing organizations to weave zero trust models into their overall strategy. Looking at zero trust in a holistic way is a key to helping organizations most effectively implement a ZT architecture.”