In an age of increasing cyberthreats and sophisticated attacks, traditional perimeter-based security is no longer enough. Zero Trust, a security model based on the principle of ‘never trust, always verify,’ is transforming the way organisations protect their networks, data and applications. By continuously validating user and device access, Zero Trust minimises the risk of breaches and ensures that security remains robust, even in an increasingly complex digital landscape. In this feature, three industry experts from Protegrity, Xalient and 11:11 Systems explain how organisations can implement Zero Trust effectively without compromising user experience or creating unnecessary complexity in their IT infrastructure.
Alasdair Anderson, VP of EMEA at Protegrity
A Zero Trust framework is a valuable layer of cybersecurity defence; however, it should be implemented with a keen overview of an organisation’s requirements and workflow. Without consideration, a Zero Trust framework and tacked-on applications to support business needs can snowball into a bloated and complex IT infrastructure – escalating business costs.
Whilst Zero Trust effectively de-risks applications, servers, and infrastructure, it does not protect data in the event of an attack. For some employees, it will decrease the blast radius of phishing emails or exposed credentials – however if the employee happened to be the CEO, this would be a different story. Now the threat landscape has become so hostile that a security breach is no longer a question of ‘if’ but ‘when’. Measures must be put in place to mitigate the risk of sensitive, valuable data falling into the wrong hands. The simplest answer is not to put another solution on top, but to take a more holistic approach.
Integrating data-centric security measures into a Zero Trust framework enables organisations to derive the most cybersecurity value from the infrastructure, without disrupting employee workflow and locking away valuable, actionable data. Through applying Privacy Enhancing Technologies (PETs), data can be anonymised, ensuring that in the event of a breach, valuable data remains anonymous, and of little use to threat actors. This risk mitigation may enable organisations to consolidate their cybersecurity solutions, reducing costs.
Further, by incorporating data security into a Zero Trust framework, employee friction can be greatly reduced. Traditional Zero Trust measures often introduce friction, preventing employees from easily accessing the data they need, sometimes leading to delays of up to two weeks. As Protegrity’s research shows, 37% of organisations wait one to two months to access sensitive data, while 32% face delays of three to six months.
These waiting times can disrupt workflow, impact customer experience, and lower employee satisfaction. However, by implementing fine-grained access controls with encryption, employees can still access necessary files – only specific data elements are encrypted based on clearance levels. This balance between security and usability ensures both protection and efficiency.
Zero Trust alone isn’t enough to protect sensitive data in the event of a breach, and organisations should be careful to consider what solutions they integrate to increase security and reduce workflow friction. By integrating data security solutions such as Privacy Enhancing Technologies (PETs), organisations can minimise breach impact and cut cybersecurity costs without sacrificing efficiency.
David Morimanno, Director of Identity and Access Management Technologies at Xalient
Zero Trust is a comprehensive cybersecurity methodology that operates under the principle that no connection, device, or user should be trusted by default, regardless of location within or outside the network perimeter. This approach challenges traditional security models by eliminating implicit trust and ensuring that every access request is thoroughly verified.
However, achieving a true Zero Trust framework can be challenging for organisations. Many struggle to gain a deep understanding of the various components within their security infrastructure, making it difficult to implement a unified and holistic Zero Trust strategy.
Often, organisations adopt a fragmented or siloed approach to security, failing to integrate critical security elements. Additionally, the complexity of Zero Trust means that no single vendor can provide a comprehensive solution across all its dimensions. Instead, a multi-vendor approach is typically required, encompassing a range of solutions such as identity and access management, micro-segmentation, endpoint verification, network access control and continuous real-time monitoring.
Within an organisation, the delegation of security responsibilities across different teams often adds another layer of complexity. For instance, network management and identity management are typically handled by separate teams, each with its own priorities and methodologies. This division can create significant challenges when attempting to implement a cohesive security strategy.
Achieving a truly integrated security posture often requires a fundamental shift in organisational culture, structure and strategy – changes that are inherently complex and necessitate buy-in from multiple levels within the organisation.
Furthermore, substantial modifications to the existing network infrastructure are frequently required to enable comprehensive visibility and control, which can be costly and time-consuming. In environments with intricate and dynamic configurations, achieving seamless oversight and control over all network connections is particularly challenging from both a technical and operational standpoint.
To overcome this, organisations must embrace their Zero Trust strategy with identity at its core. However, a few critical considerations will either make or break their approach. First, every identity matters – whether it’s employees, contractors, third parties or machines, all must be accounted for. They need to understand which digital assets are the most critical and map access needs accordingly to ensure security efforts are focused where they matter most. Least privilege access isn’t just a best practice – it’s a necessity, requiring regular reviews to keep permissions tight.
CISOs are already stretched thin by compliance and risk demands necessitating the need to carve out time to see the bigger picture. Smart investment is key – knowing which capabilities to keep in-house and which to outsource. And let’s not forget communication: a Zero Trust strategy only succeeds if security teams actively engage the business, guiding users through the process and reinforcing its benefits.
Sean Tilley, Senior Director of Sales EMEA at 11:11 Systems
Although the benefits of Zero Trust are clear, its adoption comes with some challenges. Financial constraints often limit the immediate implementation of new technologies. After all, it requires a complete overhaul of the existing security infrastructure. Legacy systems also pose an issue, as they are often deeply embedded within the organisational infrastructure, and do not always integrate with new technologies.
Shifting to a Zero Trust model is a complex process, but it’s not impossible, and there are benefits to implementing a step- by- step approach. Begin with a phased rollout to test the waters, make necessary adjustments and then scale when ready. For legacy systems that can’t be immediately replaced, use isolation techniques, like microsegmentation, to provide a temporary solution. Most importantly, institute regular employee training sessions to turn your workforce from a potential liability into your first line of defence against cyberthreats.
Implementing Zero Trust isn’t a plug-and-play affair. It’s a comprehensive, multi-layered strategy that demands meticulous planning and execution. Begin with a comprehensive security audit to identify the most valuable assets and their associated vulnerabilities and weak links. This isn’t a quick scan; it’s an in-depth analysis that will serve as the foundation for building the Zero Trust architecture.
Next, overhaul the security policies to align with Zero Trust principles. This is about more than just setting up firewalls or installing antivirus software. It is necessary to rethink how access is granted, activity monitored and threats are responded to. Multi-factor authentication (MFA) and network segmentation are non-negotiables. MFA provides an extra layer of identity verification, while network segmentation restricts lateral movement, making it harder for attackers to navigate the network once inside.
But the Zero Trust journey doesn’t end there. Static defences won’t cut it in today’s dynamic threat landscape. Real-time analytics for continuous monitoring are also necessary. This allows you to adapt and respond to emerging threats as they happen, not after the fact.
