Zero trust is hard to come by in the corporate environment. But if you’ve succumbed to one of these six myths, you should fundamentally rethink your strategy. […]
According to the IDG study “Security Priorities 2020”, interest in zero trust technologies is increasing: 40 percent of respondents said they were actively involved with zero Trust. In 2019, this figure was only 11 percent. 18 percent of the companies surveyed stated that they already have zero trust solutions – more than twice as many as in 2018 (8 percent). Another 23 percent plan to use Zero Trust in the next twelve months.
Forrester analyst Steve Turner noted in his recent conversations with enterprise customers, however, that 50 to 70 percent completely misunderstand the basic concepts and principles of Zero Trust because the marketing hype has taken over: “When we bring these customers back down to earth, the end result is usually the realization that they had wrong ideas about Zero Trust.“ To help you avoid this, we’ve put together six common myths and misconceptions surrounding zero trust networks.
“Zero Trust solves a technology problem”
Zero Trust is not a solution to a technical problem, but to a business problem, Turner knows: “The first step is to understand what business problem you are trying to solve. John Kindervag, who developed the zero trust model, also stresses the need to focus on business outcomes and advises CISOs to involve the company: “If you don’t know your business needs, you’re going to fail.“
“Zero Trust is a product”
A common zero trust misconception: Zero Trust is successfully implemented when identity management, access control, and network segmentation are used. Kindervag, currently Senior Vice president of cybersecurity strategy at security MSP ON2IT, dispels this myth: “Zero Trust is a strategic initiative aimed at preventing data breaches. Kris Burkhardt, CISO of Accenture, describes Zero Trust as “a set of principles” that serve to build a secure technology environment: “No one can sell you a zero trust solution. If you want to buy a product to implement Zero Trust, then you are asking the wrong question”“
Forrester analyst Turner had already dealt with customers who bought a product with “zero trust promises” but did not change their approach in any way: “Data was not classified, there were still employees, suppliers and contractors with far too far-reaching access rights and nothing happened in terms of asset management or network practices.“
“Zero Trust – also applies to employees”
As Zero Trust “father” Kindervag explains, the zero trust approach is not aimed at making systems trustworthy. Rather, it is about banishing the concept of trust from IT systems: “Trust is a vulnerability that is exploited in data breaches.“
This is sometimes misinterpreted in a way that the company suddenly no longer trusts its employees: “It is the task of the CISOS to explain that this is not about personal concerns, but about preventing data breaches in the company that potentially affect all employees.“
“Zero Trust is hard to implement”
Kindervag also resists the idea that Zero Trust is difficult to realize: “This is a myth created by those who see their defense-in-depth model in danger. Zero Trust is not complicated and certainly not more expensive than what companies are already doing. However, the cost of a data breach has not yet been taken into account.“
Turner agrees that it’s much easier to put a zero trust approach into practice today: “The tools themselves have improved and vendors are now working together across product lines.“
“Zero Trust is like that.”
Over time, two approaches to zero trust entry have emerged, according to Turner. One approach focuses on identity management, the other on IT security: “Some companies start with identity management and quickly move on to implementing multi-factor authentication, which brings the simplest and fastest successes. Other companies take a network-centric approach, where they tackle micro-segmentation first, which can be a bit more difficult.“
“SASE is Zero Trust.”
Secure Access Service Edge (SASE) has become a popular way to gain a foothold in zero trust. That’s because SASE is moving security management to the cloud. According to Turner, however, many companies would have resorted to SASE in the chaotic early days of the pandemic to solve the immediate problem of employees suddenly working remotely: “SASE solutions are not designed for hybrid models. These companies must now go back to the drawing board and design Zero Trust as a company-wide strategy.“
* Neal Weinberg is a freelance writer for our US sister publication Network World.