Zero Trust assumes that any person or device with access to an organisation’s data is a potential threat to the enterprise and thus centres on the concept of “don’t trust anything”. Instead a Zero Trust approach will verify the user, the device and restrict access to only the minimum level required for the task at hand every time. This policy is strictly enforced through intelligent access control and network segmentation. The concept of Zero Trust is not new but now, organisations in Australia and New Zealand must take it to the next level.
While for many organisations Zero Trust has been an interesting concept, we are now at a tipping point where the ability to deploy Zero Trust foundations are real and organisations are either seriously evaluating how to approach Zero Trust in their organisation or actively pursuing it now.
There are some challenges with Zero Trust that organisations need to look at addressing including:
- Lack of visibility into connected devices and a lack of detailed asset intelligence. Zero Trust presents a need to verify that the end user and the device being used to access data can be trusted, while also distrusting everything in between. Organisations face the challenge of overlaying Zero Trust on existing infrastructure. Pushing the trust boundary as close to the user, device and application as possible is therefore the main goal for organisations. To do this, organisations must address the gap in visibility across user and user centric devices, applications, service centre devices and other types of Internet of Things (IoT) devices that are not considered typical user centric devices associated with Zero Trust, such as IP video recording devices and corporate printers. These IoT devices can be vulnerable to attacker exploitation if Zero Trust is not extended out to cover these devices. Therefore, organisations must seek to gain visibility into all IP-connected assets that have access to corporate data, both IT and operational technology (OT).
- Limited insight into traffic patterns and system interdependencies. The lack of insight into traffic patterns and system interdependencies results in two main difficulties: how do organisations understand if an application is secured by Zero Trust in its totality, and do organisations leak any of their Zero Trust protection because they are missing visibility into something that is playing a role in an application that is not included in the company’s Zero Trust? Gaining insight into these core areas gives organisations the capacity to conduct continuous assurance for Zero Trust.
- Difficulty in configuring and maintaining network segmentation. The ability to decide on a segmentation policy relies on a comprehensive understanding of the systems in play, including user devices and applications, and how they communicate with each other. Network segmentation adopts a macro-based approach to segmentation due to the limited detail available on host and application interdependencies, while the industry approach promotes multiple specific tools such as host-based or “micro-perimeter” firewall-based segmentation. However, few organisations have the level of visibility to know what granularity of segmentation is sufficient to address the risks identified without introducing unnecessary risk in the event of segmentation-mechanism failure and so are unable to fully leverage the micro-based tools.
- Little-to-no existing automation for firewalls to update policies as devices change and move. If an organisation’s approach to Zero Trust is firewall-centric, a gap is introduced by the fact that there is little to no integration between all devices used and the associated firewall policies. Taking a firewall approach to Zero Trust and “micro-perimeterisation” requires a corresponding device and user-centric visibility component to feed into those firewalls.
- Network access control (NAC) not mapping to specific user roles and business needs. A typical NAC deployment typically includes production user and quarantine network segments. There is a huge gap between the industry Nirvana of mapping to roles and business needs and what’s actually possible in practice for organisations. What’s missing is discovery and intelligence about devices, traffic and interdependencies and mapping this information with something that is implementable in the current environment without ripping out the entire existing infrastructure.
- Security tool integration and information exchange from data centre to cloud is not seamless. The Zero Trust approach to security spans from end devices, to data access and all elements of infrastructure however there are many tools securing different discrete components. While an integrated security approach is recommended by industry standards, there is no overarching security platform that helps to tie all of these discrete components together. While an individual organisation’s approach may be holistic, the implementation is typically fragmented and niche.
- Constantly evolving heterogeneous networks lack centralised access control and asset management. Network connectivity continues to increase, as do connected devices. While there has been consolidation in the network industry over time, there has also continued innovation in networking, which subsequently introduces new types of networks. These constantly evolving networks are not managed holistically and have bespoke ways of performing, which is disconnected from an organisation’s platform approach. Zero Trust needs to be able to cater for both legacy and modern networks whilst also possessing the ability to expand and adapt to new networks as they evolve.
Zero Trust needs to start with 100 per cent device visibility, which is the ability to continuously discover, classify and assess every IP-connected device that touches the extended enterprise network. Only by attaining visibility into everything from traditional servers, laptops, and smartphones to IoT and OT devices, peripherals, network infrastructure, physical and virtual servers, and workloads on public clouds, can organisations trust their asset intelligence and begin to confidently make intelligent security decisions and apply policy-based controls that Zero Trust requires.