Zero Trust has become one of the hottest buzzwords in cybersecurity over the past few years. The core concept – that organisations should not automatically trust anything inside or outside their perimeters – seems intuitively sensible in an age of cloud computing, mobile devices, and distributed workforces.
However, perhaps a controversial view is that there are signs that the initial clarity and vision behind Zero Trust have become diluted. What began as a bold new security model is at risk of becoming just another item to tick off the compliance checklist. Has the Zero Trust message got lost along the way? This blog will examine some key challenges and obstacles that have held back Zero Trust adoption and propose strategies to re-focus efforts.
The Meaning of Zero Trust
Let’s start by recapitulating what Zero Trust means at its core. The term “Zero Trust Model” was coined by Forrester Research analyst John Kindervag back in 2010, but the concept has its origins as far back as 1994. The fundamental principle is that organisations should not automatically trust any user, device, or network – whether inside or outside the traditional perimeter. Instead, every access request and transaction should be verified explicitly before granting the least privileged access required.
This approach was a profound departure from the traditional castle-and-moat security model. The corporate network could no longer be viewed as a safe haven compared to the dangerous internet. The rise of BYOD, cloud apps, and remote working meant far less control over devices and users. The only sensible approach was to shift from implicit trust to explicit verification for every interaction.
Early Momentum and Promising Signs
In the early days of introducing the concept, Zero Trust gained rapid mindshare in the cybersecurity community. By 2017, Gartner listed it as an innovative approach that was gaining traction. Google publicly announced its plans to adopt a Zero Trust architecture. The US government included Zero Trust principles in its various cybersecurity initiatives and frameworks.
There were plenty of promising signs that Zero Trust would transition successfully from a visionary idea to a practical reality implemented by leading organisations. Analysts predicted that by 2023, 60% of enterprise infrastructures would implement Zero Trust network strategies across all domains. Kindervag’s radical concept transformed the entire philosophy behind enterprise security.
Muddled Definitions and Point Solutions
However, things have not quite worked out that way. One of the biggest problems has been the fragmentation of definitions of Zero Trust architecture. The original broad concept has been split into numerous point solutions promoted by specific vendors.
For example, the term Zero Trust Network Access (ZTNA) has become widespread. However, this takes one element of the Zero Trust philosophy – context-aware access controls – and many vendors offer it as a single product. Various forms of multi-factor authentication (MFA) products are also marketed as Zero Trust compatible – but this isn’t the complete approach.
With so many vendors jumping onto the Zero Trust bandwagon, its meaning has become obscured. Each offers a slice of the idea tailored to its own product suite capabilities. For technology buyers, this makes it hard to maintain focus on the comprehensive philosophy they need to drive fundamental transformation.
Compliance, not Security Culture
This, in turn, leads to another problem – enterprises adopting a compliance and audit-driven approach rather than genuine cultural change towards Zero Trust principles embedded across their people, processes and technology.
In Europe, the new NIS2 directive comes into play later this year, and US government organisations must adhere to the federal zero trust strategy overseen by CISA. Other regulated industries must demonstrate good security to avoid fines, lawsuits and reputational damage. Too often, this leads to checklist tactics – deploy ZTNA for external users, implement MFA, and run regular penetration tests.
However, using Zero Trust as a vague label to signify improved security without internalising its meaning is counterproductive. It actually widens attack surfaces with poorly integrated products full of vulnerabilities. Only wholescale change to distrust networks, continually verify access, and monitor behaviour provides actual risk reduction.
Lack of Usable Models and Guidance
Even well-intentioned CISOs committed to the Zero Trust vision have needed more usable frameworks and reference models for constructing a practical implementation. Significant complexities have slowed down deployments beyond initial trials and proofs of concept.
For example, the process for defining enterprise segmentation schemes that group similar users, devices and workloads to simplify access policies demands skilled architects. Figuring optimal signals for continuous authorisation decisions also requires considerable planning to balance trust and usability.
Without detailed step-by-step guidance that considers enterprise legacy constraints, many CISOs have found it challenging to advance materially beyond limited base use cases. The promised benefits of flexible access and reduced cyber-risk exposure remain tantalisingly out of reach.
Restoring Clarity of Purpose for Zero Trust
Fortunately, there are signs this year that much-needed clarity around Zero Trust architecture is returning after a period of fragmentation and fuzziness. NIST, the influential US standards body, has, in the last few years, released densely detailed guidance for designing and deploying Zero Trust architecture. Other cybersecurity research organisations like the Cloud Security Alliance promote holistic Zero Trust methodologies and certifications. In the last year, Gartner also published its updated guidance for implementing a Zero Trust security program.
Central to these efforts is restoring Zero Trust to its core guiding principles rather than any specific product combination:
– Assume breach and verify explicitly – eliminate implicit trust
– Use least privilege access – limit on a need-to-know basis
– Inspect and log exhaustively – hunt threats and improve
Just as vitally, modern cybersecurity tools are emerging to resolve the usability problems that have inhibited widescale Zero Trust adoption up till now. Cloud-based solutions can roll out integrated ZTNA for any user and device, combined with inline inspection of risky lateral movement and integrated with Cloud and Data protection for a 360-degree view. Identity management is policy-driven to automatically apply context-based controls and adaptive authorisation via integrated single sign-on. Many vendors now also have ML and AI capabilities to provide adaptive protection to the ever-changing threat landscape.
Execute Zero Trust with Renewed Strategic Purpose
Zero Trust has never been a more critical philosophy as hybrid work patterns dissolve the old network perimeter. However, realising its benefits means moving beyond tick-box compliance towards executing with renewed clarity and strategic purpose.
Rather than getting distracted by point solutions, focus on core guiding principles around least privilege and explicit verification. Take advantage of newly emerging technologies, platform approaches and reference models to overcome past complexity barriers. Ensure business outcomes related to secure agility and risk reduction rather than audit passes.
Zero trust should be seen as an ongoing transformation journey rather than a one-time project. However, restoring strong foundations and taking incremental steps forward makes the path ahead more achievable. Guided by revitalised first principles, the Zero Trust message can ring louder than ever as the new paradigm for enterprise security.