Why you can’t buy a zero-trust silver bullet

A blue color image of a person trying to log into a protected laptop.
(Image credit: Shutterstock/JARIRIYAWAT)

As businesses evolve to adopt more cloud services, remote working and bring your own device (BYOD) (opens in new tab) practices, they are creating new attack surfaces that need new security measures. The traditional perimeter security model of “trusted inside” versus “untrusted outside” no longer exists.

About the author

Tris Morgan, Director of Security Advisory Services at BT (opens in new tab).

This has led to the significant adoption of zero-trust – an approach whereby you assume that all application (opens in new tab) access is potentially malicious or undesirable. But zero-trust is a misnomer. It’s often spoken about as if there’s an endgame or ideal outcome, but, it’s a long-term, collaborative journey.

Businesses need to better understand what zero-trust is before putting their hands in their pockets and investing. Despite the hype from many vendors, it’s not a one stop shop, but instead an approach that needs to be adaptable to organizational and technological change. To channel the right expertise and resources into areas and projects that make the most difference, organizations need to transcend this buzzword and prepare themselves for the realities of a perimeter-less IT environment.

Overcome the hype

The buzz around zero-trust is understandable, but the principle of never trusting and always verifying has been debated for decades. However, it’s only now that this theoretical model is becoming a reality. Zero-trust fits modern cyber security (opens in new tab) requirements - instead of trying to police all the borders and paths across a network, security teams can create islands of applications and data that can be protected in a much more focused way. 

This approach is certainly the best form of defense in a multi-attack vector environment. Businesses can monitor precisely who and what is accessing their network. It goes beyond simple criteria such as source IP address (opens in new tab) or username to answer questions such as: who is accessing your data? Where are they coming from? What applications do they want to use and when do they want to access them? How do they want to connect to the applications? What’s more, it also helps organizations how adopting new technologies like the Internet of Things (IoT) and SD-WAN affects their risk.

The problem though is that the cybersecurity arms race keeps businesses buying unnecessarily. Because zero-trust is being misused in the industry, organizations believe they can achieve it by buying multiple products from vendors and often fall into the trap of falsely assuming they have reached their end goal of zero-trust once they’ve made the investment. 

This is why zero-trust needs to be better defined. What businesses must understand is that zero-trust is enabled by vendors, rather than being provided by them. It’s not something you can buy off the shelf once – it’s an ongoing, phased concept that encompasses technology and people, and adapts as a business evolves.

There’s no easy ON button for zero-trust

So, what’s the starting point? Begin small. Making the move to zero-trust is a multi-phase, multi-year project. Large, established companies often develop substantial, complex applications but are unable to gain visibility into how they are used. Starting with a smaller, less complex application or a service that is known and understood will enable businesses to learn in a way that does not impact them while still providing repeatable and reusable controls.

Companies also need to start by looking at the people and devices interacting with the organization. They need to develop an identity management (opens in new tab) strategy and work out which access management solutions they will need to protect their most valuable assets. This means tighter regulation of what each user can do and a more robust approach to an individual’s access rights and privileges, especially those of third parties and suppliers. The key part here is to focus on the concept of least privileged. Only give a device or user access when they absolutely need it.

Zero-trust also needs to be considered every time a business modifies or augments their IT estate. For example, they need to consider how adding a new technology or tool will impact their access management and what changes they need to make to their zero-trust access policies as a result.

Zero-trust doesn’t always mean starting fresh either. A complete overhaul of existing cyber functionality isn’t necessary. Most organizations already have some of the pieces that make up the zero-trust puzzle in their arsenal and, if they don’t, they should partner with a provider that can optimize their own capabilities instead of costly ripping and replacing.

The future of trust starts with ‘zero’

Although there’s a lot of hype around zero-trust, it’s important that businesses cut through this noise and understand what it encompasses - including any benefits and challenges along the way. In an ideal world, achieving zero-trust would be as simple as deploying a single solution but there is no magic fix. Zero-trust is a long-term program that needs to be ever present in a cybersecurity strategy.

Businesses should look to partner with the right providers that have extensive experience managing identities and can help them identify the architectural stages required to follow a zero-trust approach, while working with the organization to continually manage their risk as their strategy evolves. After all, zero-trust isn’t a destination, it’s a journey - and, importantly, you don’t have to do it alone.

Connect securely online with the best business VPN.

Tris Morgan, Director of Security Advisory Services at BT.