Share this article on:
It sometimes helps to think smaller to achieve something much bigger.
Zero trust is broadly understood as a way to improve cyber security hygiene during a time when Australian organisations, according to the OAIC’s latest Notifiable Data Breaches Report, face a constant stream of threats, with 409 breaches reported in the January to June 2023 period – but putting it into practice is more challenging.
Research by MIT Technology Review Insights found that 40 per cent of organisations have adopted a zero-trust model, while 18 per cent are implementing one and 17 per cent plan to. We can draw two clear conclusions from this.
First, that leaves one in four respondents who don’t fit into any of those three categories: planning, implementation, or production. That’s a material proportion of organisations. Secondly, while zero trust is often treated as a “given” for organisations with hybrid workforces and distributed IT environments and application stacks, the value proposition and path to implementation may not be well understood.
Security architecture is also an extremely fast-moving space at present. Zero trust often isn’t the end-game anymore: that’s now secure access service edge or SASE, which encompasses zero trust but also SD-WAN and often considerably more concepts and technologies.
So, the time that zero trust spent as a “North Star” for organisational security strategy was fleeting, only to be replaced by a newer, more ambitious goal.
For some organisations, it may be a case of “too much, too fast”. The view on zero trust and SASE may need to be reframed. To speak idiomatically, there’s no need to boil the ocean; rather, the path to zero trust adoption – and to SASE as a stretch goal, should that be on the radar – is to treat the adoption process more like eating an elephant: “a bite at a time”.
Biting into zero trust
To understand how to bite into zero trust, it’s necessary to have a clear idea of what it is and what adoption involves.
The most important thing to understand is that zero trust is not a single technology but is instead a framework built on the principle of “never trust, always verify”.
In practice, this means that in the design and management of an IT environment, users must be continuously authenticated, verified, and authorised, regardless of whether they’re inside the business.
This is reflected in the first key concept of zero trust: “least-privilege access.” Essentially, this means granting users only as much access as they need, such that all access is provisioned on a need-to-know basis. The need may be defined according to job function, security clearance level, or other approvals.
This concept is vital: it should be applied to application access from anywhere in the enterprise. When implemented properly, this practice dramatically reduces the attack surface and exposure of organisations to threats.
Another standard practice of a zero-trust architecture is to leverage identity, for users and devices, to both grant access to specific resources and applications and to segment users, groups, and applications into small (micro- or hyper-) segments. The segmentation further limits exposure and prevents lateral movement of threats.
The ultimate goal is to implement a zero-trust model to enable users to work effectively and reduce obstacles in daily operations. The overarching approach needs to be user- or customer-centric: if the customer’s needs are not met, and security is put on top of the solution rather than incorporated, the system won’t work, even if it remains secure. Instead, a solution built into the system with customer needs in mind both drives productivity and increases adoption.
So, there should be a preference for the solutions and architectures that provide customer-centricity as a guiding principle in zero-trust solutions.
Overcoming key barriers
Importantly, a customer-centric approach also helps organisations overcome many of the barriers to getting zero trust right.
For example, to enforce “least-privilege access”, IT and security teams must agree exactly what permissions each person should have and establish ways to track and change permissions as people change positions and job titles. Ongoing administration and management of zero trust can be both time-consuming and complex.
Another key barrier is organisational silos. Zero-trust architecture requires collaboration and communication across the business. To effectively determine appropriate access controls, IT teams need to understand business processes and be looped in across departments and leadership. That’s not the norm in most organisations. Many IT and security teams are highly isolated and only approached when something goes wrong. In this case, they need to work together to ensure the process goes right.
In both circumstances, keeping the customer or end-user at the forefront may help all sides and stakeholders to stay aligned, reach an agreement and keep moving towards the common goal of creating a zero-trust framework.
Once a customer-focused mindset is established, the next step to implementation is determining where the most security risk in the organisation lies, and starting zero-trust efforts there.
Technology is the last order of business. It will take an open ecosystem of teams and processes working in tandem to achieve zero trust. But it’s also important to choose a vendor that approaches zero trust holistically across the entire network, from remote access to local campus access. The solution must be pervasive and able to scale with the needs of the organisation without complicating network management.
Carmelo Calafiore is the ANZ regional director at Extreme Networks.