Image: metamorworks, Getty Images/iStockphoto

There are many reasons to go Zero Trust when it comes to enterprise security. Whether cutting supply chain risk or simply trying to eliminate the bother of VPNs in an increasingly work-from-home work environment, Zero Trust works, even if sometimes the cultural hurdles to embracing it can seem steep. In part because of those cultural challenges, however, there’s reason to go slow even as your company aims to go big with Zero Trust security, as Palo Alto Networks Field CTO John Kindervag has written.

SEE: Security Awareness and Training policy (TechRepublic Premium)

Zero Trust: Going slow to go fast

The concept of Zero Trust is simple: It doesn’t matter where you come from, whether inside or outside the network, you’re still going to have to get verified. You want access to a corporate service? You’re going to need authentication, authorization, and encryption.

Because companies have been trying to deploy perimeter security for so long, the Zero Trust approach can seem daunting, even scary. Indeed, as recent survey data suggests, close to half of organizations lack confidence in their ability to deploy Zero Trust.

Image: Pulse Secure

As such, Kindervag noted, “The thing I fight against now is doing nothing. It’s easier to keep things the way they are,” even if “the way they are” doesn’t really work.

As one of the foremost experts in Zero Trust security, Kindervag has spent over a decade helping organizations embrace this approach. Along the way, he’s learned what works, and what doesn’t. What doesn’t, it would appear, is to go too big, too soon: “I used to think that we should start deploying Zero Trust with the most sensitive data an organization needs to protect because those things are the most important. Experience now tells me that thinking was wrong, and we need to change it.”

Rather than start with the most sensitive assets to protect, Kindervag suggested, it’s best to start with low-risk assets. “You need to start with a low sensitivity environment because you have to give people the ability to fail without retribution. Lab and testing environments are ideal for learning, but pretty much anything can work if it’s low criticality.”

From here, organizations should move to ever more sensitive data, eventually reaching the “crown jewels” of the organization.

All of which makes sense because, as noted, Zero Trust is less about technology and more about culture. Cultural change doesn’t come quickly, but it’s more easily accomplished if the initial steps come with limited risk.

Disclosure: I work for AWS but nothing herein relates to my work there.

Also see