Beware of analysis paralysis when implementing Zero Trust

A digital face in profile against a digital background.
(Image credit: Shutterstock / Ryzhi)

In today’s work-from anywhere world, a Zero Trust architecture is pivotal. Considering this, we spoke with PJ Kirner, CTO and Co-Founder at Illumio, to discuss why it is now more important than ever that companies adopt a Zero Trust mindset in order to digitally transform and grow their company in a secure way.

About the author

PJ Kirner is CTO and Co-Founder at Illumio.

Put simply, what is Zero Trust, and how does it help an organization looking to strengthen their security posture?

Despite common misconceptions, Zero Trust is not one product or platform, it’s not something you buy, but rather it is a security framework that eliminates default access for any source. Be it internal or external, a Zero Trust approach assumes that all interior network traffic cannot be trusted without authorization, and only verified identities can access critical networks, applications, systems, and data.

Micro-segmentation, which is a critical pillar of any Zero Trust security model, is a fine-grained security control that isolates attacks, significantly limiting their impact on the organization.

Today, as our operating models evolve and data becomes increasingly dispersed due to cloud migration and at-home working, firms are fighting to catch up with accelerated change. In fact, a recent Forrester study saw 63% of respondents claim their firm was unprepared for the quickened pace of cloud migration and transformation. An equal number found it difficult to maximize the productivity of remote workers without introducing new security risks, which is an interesting catch-22 for business.

Particularly in the face of complex environments and relentless security threats, Zero Trust is one of the most effective, and necessary, approaches for any organization looking to support business growth and build resilience.

What then, are the biggest misunderstandings when it comes to implementing Zero Trust and micro-segmentation?

Too often organizations view Zero Trust as an all or nothing approach, where they think they’ll only see benefits once they implement every step of their strategic plan. Consequently, businesses continually hesitate to embark upon their Zero Trust journey because they see it as a huge ‘boil the ocean’ undertaking. This misunderstanding accounts for why the same Forrester research reveals that whilst 75% of decision makers cite the importance of Zero Trust to combat mounting security threats, only 33% have started deploying their plans, and just 6% said their firm’s plan is complete.

In reality, Zero Trust is an approach that can be broken down into multiple small steps. To begin with, organizations can look at the primary issue they want to solve and assess where they can make the biggest gains for the most reasonable investment. It’s helpful to identify the areas that are most vulnerable and where the most business-critical data lives – prioritize implementing security controls where these two overlap. For example, we often have people start with just a few critical assets, we also have people start by trying to weed out unencrypted protocols, or even just eliminating unnecessary management protocols in their environment.

As well as making the task far less daunting, breaking down the complexity and scope of the objectives allows organizations to focus their resources more intentionally. Practically, this makes it easier to secure funding from the board because, as summarized by the Forrester study, security teams need to be able to demonstrate the ROI of any Zero Trust projects in order for their initiatives to succeed. By breaking their Zero Trust journey down into bite-sized pieces, security teams can demonstrate the impact of each step more clearly and quickly.

What realistic advice would you give to an organization looking to embark on their Zero Trust journey?

We’ve established that Zero Trust is a journey rather than a destination. I implore organizations to see Zero Trust as the process of continuous improvement that it is, and not as something that needs to wait until next year, when the board approves the new budget or strategic plan.

I’d suggest security teams start their Zero Trust journey by gaining visibility into their IT environments. Sometimes we simply have people begin by understanding the communications currently happening in their network and the connections that could happen, which helps show real risk. It’s also helpful to understand how on-premises data centers and cloud environments connect with each other. Without this understanding of the network, it’s hard to develop a thoughtful Zero Trust plan.

Then, firms should prioritize where to implement security controls first. Depending on their situation, some organizations might start off by implementing multi-factor authentication, by separating large swaths of their network from each other, or they might focus on port-blocking and ransomware containment. From there, security teams can start scaling up and expanding the Zero Trust architecture across their organization to cover their users, applications, and data.

While there are key pillars to Zero Trust – segmentation being chief among them – it’s important to remember that Zero Trust is not one product or solution, it’s an approach to security. The best advice I can give to security teams is to start making progress on your plan now. Adversaries will keep attacking while you’re waiting to implement controls until you have a perfect plan, you have to assume breach - part of the Zero Trust philosophy. Start chipping away at your Zero Trust strategy to make your company more resilient to those attacks today.

At TechRadar Pro, we've feature the best hybrid working tech.

PJ Kirner is CTO and Co-Founder at Illumio.