Zero Trust or just untrustworthy? Exploring Zero Trust fears

Zero Trust or just untrustworthy? Exploring Zero Trust fears

Zero Trust is a strategy where you assume you’ve been breached and operate as though attackers already have access to your environment. Trevor Dearing, EMEA Director of Technology at Illumio, clears up some of the general fears surrounding this approach to cybersecurity.

Even before the pandemic, implementing Zero Trust architecture was at the top of the agenda for a growing number of organisations as they pursued Digital Transformation strategies. In today’s remote world, with just four in 10 UK workers wanting to return to the office full time, it has become a necessity for keeping increasingly dispersed networks secure, especially with ransomware on the rise.

In fact, recent research by Illumio found that an overwhelming 98% of UK business leaders and IT decision-makers are either already implementing a Zero Trust strategy, or plan to do so soon.

The research found that the leading reasons for those that have already adopted a Zero Trust approach were either because it was part of a wider strategic refresh on security infrastructure, or to improve the business’ agility through Digital Transformation. Most decision-makers cited greater confidence in securing critical assets and reduced risk exposure as the greatest benefits to implementing Zero Trust strategies.

However, the road to Zero Trust can often be challenging. Although it’s at the top of the agenda for security decision-makers, other personnel – board-level executives and the general workforce alike – may not be familiar with what Zero Trust actually means. As a result, there are a number of technical and cultural obstacles that can slow down implementation.

So, what are the barriers?

Technical and monetary challenges

Implementing business change is always a complicated task and around 80% of respondents said they had had at least some form of technological or operational issues in pursuing Zero Trust. The most common issue was legacy systems that could not readily be upgraded to the new approach. This puts companies in a difficult position as completely overhauling systems will invariably be more resource- and cost-intensive than simply being able to integrate them, and it can be easy to fall into the ‘sunk-cost fallacy’ of being reluctant to throw out a previous investment.

Similarly, cost was another leading barrier, with 22% stating that the process was too expensive and they lacked the budget. A similar number (19%) was concerned that they did not have the resources to see the project through to completion.

Although technological issues are very common, they are usually fairly straightforward to solve with the right strategy. The best approach is to view Zero Trust as a series of smaller projects rather than one huge undertaking. Breaking implementation down into manageable stages will make it easier to allocate budget and resources to start making progress.

Fears and misconceptions

Cultural barriers can be more nebulous and harder to pin down, particularly as people are often naturally wary of new and different things. A third of respondents said that their organisation tended to be resistant to change unless it was directly mandated by compliance regulations.

Outside of the general fear of the unknown, Zero Trust seems to have sparked confusion due to a lack of understanding about what it actually is. To be clear, Zero Trust is a strategy where you assume you’ve been breached and operate as though attackers already have access to your environment.

The name seems to be an issue – a third of business leaders are worried that their employees would take implementing Zero Trust architecture as a sign that they were the ones not being trusted. Likewise, a fifth of respondents stated that their board of directors didn’t understand what Zero Trust was and would be unlikely to sign off on it.

Productivity was also a major concern, with an assumption that there would be issues around personnel being able to access assets and information or collaborate with others. This is another issue that stems from a lack of real understanding about Zero Trust strategy, which in reality, should have no impact on productivity as long as users are connecting securely.

The human element is harder to plan around, but at a time when we’re in desperate need of resilient and proactive approaches to cybersecurity, we need to find ways to overcome the fears and misconceptions about Zero Trust architecture. The best approach is to concentrate on education and awareness. CISOs and other IT leaders need to spearhead an information campaign within the organisation that clarifies what Zero Trust is and why it is beneficial to the entire business.

Board buy-in is particularly important in order to secure the necessary budget, but awareness efforts also need to encompass the wider workforce to support adoption. All employees should have a clear understanding of what Zero Trust architecture means for them. Security teams need to emphasise the fact that Zero Trust is a user-friendly and unobtrusive approach intended to keep everyone secure and it is not reflective of individuals’ trustworthiness. Zero Trust is a philosophy that only grants trust to users, devices, or workloads once they’ve been verified.

Getting started

Taking an organisation through to full operation-wide Zero Trust implementation is a massive task – one that can easily appear overwhelming when beset with budget limitations, technical issues and cultural resistance.

But rather than thinking of Zero Trust as an end result, it’s best to think of it as a journey. Like most long journeys, it can start small, follow many paths and be broken down into manageable sections.

The first step is to understand your IT environments. Start by getting visibility into how your applications, workloads and users communicate with each other and the Internet. This can help you understand how vulnerable different parts of your network are and help you prioritise what to secure first. You can also shut down communications on particularly risky ports to immediately isolate critical assets from a threat.  

It’s also important to secure board backing to ensure there will be adequate budget and resources available. Then, security teams should determine what their most critical assets are (i.e., customer data, source code, etc.) and implement Zero Trust controls to protect them first. Finally, expand your Zero Trust implementation throughout other parts of your environment.

Segmentation and scalability are key

It’s important to remember that no one technology alone gets an organisation to ‘achieve’ Zero Trust. Zero Trust is a philosophy, a strategy and a way of operating. With that said, a critical pillar of any Zero Trust strategy is segmentation. Our research found the majority of organisations already implement some form of segmentation, with most using legacy methods such as virtual firewalls and network-based approaches. Others have adopted more modern options such as segmenting by workload identity or environment.

Firms should look to begin moving towards these newer approaches, as they provide a more granular level of control that is important for Zero Trust. They also benefit from better scalability, crucial in today’s flexible, fast-moving IT environment. Fine-grained control of network infrastructure is not only important for Zero Trust, but it also prevents threat actors from moving around your environment and blocks other critical threats such as ransomware.

At a time when ransomware is running rampant, we cannot let misconceptions about critical security practices prevent us from making our organisations, data and communities more secure and resilient. Zero Trust architecture helps an organisation to reduce the risk exposure created by an increasingly dispersed workforce and network infrastructure. With this security assurance behind them, firms can confidently expand and pursue their Digital Transformation agendas without being held back by the impacts of devastating cyberthreats.

Browse our latest issue

Intelligent CISO

View Magazine Archive