8 Things That Undermine Zero-Trust Efforts

Zero trust is necessary in today’s hyperconnected world, but there are several challenges businesses face implementing it, which include people, processes, and technology. 

The technology is challenging because there isn’t a single zero-trust network architecture (ZTNA) solution. Instead, there are point solutions covering the five US National Institute of Standards and Technology (NIST) framework pillars: identify, protect, detect, respond, and recover. 

“I think the part that people are frustrated about are they may go buy a really good identity platform and then some really good EDR tooling, but as they get to network and transport, it becomes very, very complicated,” says Mike Lyborg, CISO at AI enhanced security automation company Swimlane. “I think the big thing we see across the board are technical controls to reduce risks that makes [doing one’s job] more complicated. Ultimately, it’s about protecting the data.” 

Internal processes need to be updated to align with zero-trust principles, and employees need ongoing cybersecurity training to keep good hygiene top of mind and because new technology and threats are constantly emerging. Meanwhile, the cybersecurity team needs to stay nimble and mindful. 

“If you can understand the philosophy, you can build the architecture. If you can build the architecture, you can apply technology to the solution, but it’s not always thought of that way,” says Kevin Kirkwood, CISO at Exabeam. “It’s, ‘I’m going to put in firewalls,’ but did you configure them? Did you make sure that you had an access control lists set up? Did you make sure to check the box and you give an allow list for IPs that could be used for things like that? People don’t understand the philosophy. You should be checking for credentials at every door -- every application, every time you touch a network or jump through a different VLAN on your network.” 

Related:Zero-Trust Architecture: What You Need to Know

The following are some more issues that can work against zero trust: 

1. Focusing too much on the perimeter 

Some companies have made staggering investments in cybersecurity, but what works best has necessarily evolved. 

“The traditional network security appliances, like firewalls, are supposed to secure the network, but instead they become the root cause for massive ransomware or data breaches,” says Jeremy Turner, head of cyber and risk at Cogility, in an email interview. “Vulnerabilities in those technologies are easily exploited. So, you’re playing the game of can you patch fast enough against the adversary. A big part of the shift to zero trust is eliminating the attack surface so there’s no longer a firewall they can target.” 

Related:Top US Gov’t CISO Details Zero-Trust Strategy Race

2. Technical debt 

Organizations have been in a constant state of cybersecurity tool acquisition because as new technologies and techniques emerge, they require the addition of yet more tools.  

“The more visibility we have, the more controls we have, the more we realize there’s more to go,” says Wolfgang Goerlich, faculty member at independent cybersecurity research and advisory firm IANS Research.  “If you look at the pillars -- identity device, apps, the network, any one of those has four or five owners in an organization, so trying to convince everyone that we need to coordinate and implement controls is taking longer than many of us thought.” 

3. Inadequate communication 

CISOs can make themselves very unpopular by implementing controls without properly preparing users for them. Anything that disrupts user experience tends to be viewed as an annoyance and a barrier to getting work done. Preparing them for what’s coming and why helps. 

“You communicate up front, you follow that communication when you deploy the technology, and then you flip the switch and work flexibly with them to do that, and people will understand that,” says Kirkwood. “But a lot of times, IT and security folks don’t speak the same language as the business, so me saying, ‘I’m going to put an MFA between your OLTP and your ODS -- things like that, people don’t understand.” 

Related:What Is a Zero-Trust Network and How Does it Work?

4. Data protection practices are unnecessarily weak  

Enterprises have amassed incredible amounts of data, but they aren’t always thinking about it from a cybersecurity point of view. 

“When it comes to building a zero-trust architecture, it can be tackled by combining both old and new practices. For example, let’s look at the principle of least privileged access. That same concept can be applied to data -- it’s important to collect the least amount of information necessary and delete it when it’s no longer needed,” says Dana Simberkoff, chief risk, privacy and information security officer at data management and data governance SaaS provider AvePoint in an email interview. “This is a good privacy, security, and IT practice because you must pay for that storage. If you have redundant, obsolete information sitting around, you’re not only paying for that data, but also creating risk. If you collect information that’s sensitive, you must protect it. Practicing good data lifecycle management ensures the integrity of your collaboration workspaces and content. “  

5. Thinking zero trust is about technology 

Zero trust is both a methodology and cybersecurity principle. According to Steve Winterfeld, advisory CISO at cloud and security company Akamai, when thinking about it as a method to implement, one can reference the NIST 800-207 zero-trust architecture as it will list tasks like access control and micro-segmentation. When thinking about it as a principle, one should remove trust and have all activity be both authorized and authenticated (A&A).  

“The nightmare example is when I joined a company to find once you were granted access you had unfettered access to everything. This means risk accepted by one was shared by all,” says Winterfeld in an email interview. “The issue is A&A and segmentation can cause friction, add complexity and are typically costly. Most companies have access control systems in place for their employees but need to improve role-based management and external auditors/consultant access controls. The next area they can improve easily is deploying FIDO2 compliant MFA. The final area is segmentation, which also has the biggest return on reducing risk. The reality is most networks will be compromised so the goal is rapid detection and minimizing the impact and that can be done with segmentation.” 

6. Tech stack complexity 

Adopting zero trust can be challenging due to legacy systems and the complexity of continuously verifying access across different environments. According to Eddy Abou-Nehme, owner and director of operations at cybersecurity and managed IT services provider RevNet Ottawa, organizations find it tough to shift from traditional security models, which focus on defending the perimeter to a model where every interaction is scrutinized. The lack of visibility into all aspects of the network and the need for advanced identity and access management systems also add to the difficulty. 

“To overcome these obstacles, companies should focus on modernizing their IT infrastructure, which includes investing in IAM systems, endpoint security, and tools that segment networks,” says Abou-Nehme in an email interview. “On a broader scale, the industry needs to improve standardization and ensure that different security solutions can work together smoothly within a zero-trust framework. My advice to peers is to leverage automation and AI-driven tools to minimize human error and to regularly review and update security measures to keep up with new threats.” 

7. One breach can lead to others 

As digital adversaries continue to plague companies and individuals across the globe, security professionals have a duty as leaders in the security industry to educate other industries, leaders, and organizations on the importance of securing sensitive and confidential information to protect themselves against these threats, according to Jordan Avnaim, CISO at identity and data security company Entrust.  

“As an industry, we are all working together to safeguard our assets, protect our enterprises, and prevent the continuation of security incidents. Data exfiltrated from one company’s security incident is often used to attack another company,” says Avnaim in an email interview. “Deploying zero-trust architectures not only helps prevent the initial attack and data exfiltration event, it also helps prevent other companies from being targets and victims.” 

8. They think critically

Network devices are mainly referred to and managed as they have been for decades, according to Curtis Arnold, vice president and chief scientist at Core4ce, a federal contractor with expertise in data and cyber operations. Network devices are viewed in a stove-piped manner, meaning each network solution is managed as a unique solution instead of aligning to a larger integrated security architecture such as zero trust. This traditional approach contrasts sharply with the principles of zero-trust architecture, which emphasizes continuous verification and assumes that threats can come from both inside and outside the network.  

“Initial training and standardization of network device security will help set the baseline that can be built on top of. The most beneficial adjustment will be for security leaders to shift their mindset from the need for a change in technologies to a change in data types and models,” says Arnold in an email interview. “ZT is more about having a data mindset than implementing a specific tool or technology. The primary data elements, such as authentication logs or device health, will be the same among the various technical solutions. A focus on training in those data sets will allow individuals to better support ZT across multiple environments.”