Four Zero Trust hurdles that organizations are failing to clear
More than a decade after the concept of Zero Trust was first introduced, it’s become one of the biggest buzzwords in the industry. According to Microsoft, 96 percent of security decision-makers believe Zero Trust is ‘critical’ to their organization’s success, with 76 percent in the process of implementation currently.
Zero Trust is on the rise because traditional security models that assume everything inside an organization’s network can be trusted is no longer valid. As enterprises manage their data across multiple applications and environments, on-prem or hosted in the cloud, and as users have more access to data at more interfaces, a network’s perimeter becomes porous and less defined. This causes the threat surface to expand as the edge becomes indefensible. This change has seen many organizations embrace Zero Trust principles to improve their security posture.
Based on the simple principle that businesses should "never trust, always verify," Zero Trust relies on strong authentication methods and simplified 'least access' policies to ensure more secure environments and better digital transformation. The shift to Zero Trust was turbocharged by the pandemic. However, as with any rapid adoption, many businesses have discovered that there are significant teething problems associated with the transition to Zero Trust. In many instances, these problems arise because companies haven’t taken the time to establish the proper foundations necessary for a Zero Trust model to work.
Four fundamentals for Zero Trust
There are two approaches to Zero Trust. The first is to roll it out across an entire organization. While this is the most secure approach, it is also significantly more challenging. As a result, many businesses opt for Zero Trust 'projects' which only cover a small section of the business. Regardless of which option businesses choose, there are four fundamental capabilities that need to be in place beforehand, if Zero Trust is to have any chance of success.
1. Data discovery and classification
The Zero Trust model requires granular visibility of data access across the entire network estate. This relies on security teams having visibility over all sensitive data assets, something that has become increasingly difficult as modern enterprises now have data assets in hundreds of different locations, both on-prem and in the cloud. Indeed, the majority of businesses (54 percent) confess to not knowing where all of their sensitive data is being stored, while 65 percent believe they have so much data, it’s impossible to categorize or analyze it.
As a result, whether applying Zero Trust across the entire business or limited to specific projects and departments, automated data discovery and classification is essential. Without insight into the location, volume, and context of all data assets, Zero Trust is dead on arrival.
2. Data Activity Monitoring (DAM)
Once an organization determines where all their sensitive data is, the next requirement for a successful Zero Trust program is the ability to see what data was accessed when, from where, and by whom. You cannot reduce the risk to data if you are not monitoring effectively. Data Activity Monitoring (DAM) tools allow businesses not only to alert or block database attacks and abnormal access requests in real time, but they are essential to help identify any excessive or dormant user rights to sensitive data which need to be remediated for Zero Trust to work effectively.
3. Behavioral analytics
One of the problems with moving to a Zero Trust model is that it can cause the number of false positive alerts sent to security teams to rise substantially. Alert fatigue is caused by the overwhelming number of alerts sent to security teams every day, leading to real issues being missed or ignored amidst the flood of other information. Behavioral analytics is highly effective at eliminating false positives, helping to dramatically reduce alert fatigue. Without them, a Zero Trust approach designed to increase security can end up having the reverse effect by drowning security analysts with a tidal wave of false alarms.
4. Vulnerability assessments
Finally, vulnerability assessments should be regularly deployed to identify potential configuration errors and minimize the threat surface against both internal and external attacks. At a high level, a vulnerability assessment can provide a system-level analysis of any potential security weaknesses, along with a severity level rating and recommended action for each. As such, they’re invaluable tools for detecting unnecessary privilege escalations or poor insider security practices, such as easily-guessed admin passwords.
Preparing for a Zero Trust world
There are a multitude of factors that determine whether a Zero Trust model is successful in a given enterprise, many of which are not technologically-focused. For instance, a comprehensive training program for employees to explain the principles, rationale, and benefits of Zero Trust should be a core part of the roll out for any business.
However, without these four capabilities being in place first, any attempt to implement Zero Trust will almost certainly fail. As with so many things in life, bringing in a successful Zero Trust program involves making haste slowly and establishing firm foundations to make it work.
Andy Zollo is EMEA Regional VP at Imperva