Zero trust is all the rage in security circles. But does the rest of the world agree? Is zero trust widely accepted?
In this post, we’ll look at what zero trust is and how it’s being used. We’ll also explore whether zero trust has not hit the mainstream yet. Stay tuned!
ZTNA Guide: Is Zero Trust Widely Accepted?
Forrester has laid up a plan for a successful zero trust implementation. Here is a paraphrasing of Forrester’s five-step model:
- Recognize your critical data while at rest and in action.
- Perform data exploration and categorization
- Based on data categorization, segment and zone the network.
- Determine the best pathways for sensitive data access and egress.
- All resources engaged in the electronic exchange of sensitive data should be classified.
- Examine the data pipeline and, if required, redesign it.
- Verify current procedures, such as PCI architectures and designs.
- Architect microperimetry with zero trust
- Define microperimetry, zones, and segmentation in the vicinity of sensitive data.
- Use physical and virtual security mechanisms to enforce segmentation.
- Based on these rules and the micro perimeter designs, grant access.
- Automate the creation of rule and access policy baselines.
- All-access and change control audit and log.
- You can keep a close eye on the zero-trust environment with security analytics.
- Utilize and discover current security analytics solutions inside the enterprise.
- Determine the optimal logical architecture and location for your security analytics tools.
If a new solution does require, look for a provider who is heads in the same security direction as your business and can provide analytics for your existing security solutions.
Take advantage of security automation and adaptive response.
Automate company processes with technology.
The document, evaluate, and test security operation center policies and procedures to ensure their efficacy and responsiveness.
Correlate rules and procedures with security analytics automation. It is to see what can be replaced by manual operations.
Check the security and automation implementation in your environment and current solutions.
Roadblocks to Zero Trust
While many of the suggested ideas have value and appear rational, many are impossible in practice due to the following challenges that practically every business faces:
Technical Indebtedness
If your firm produces its software for consumption, you have technical debt, and the applications are more than a few years old.
Internal application redesign, recoding, and redeploying may be costly and disruptive. There must be a strong business need to conduct these sorts of activities. It is not always possible to add security settings to existing apps to make them zero trust. Most likely, your existing apps do not yet support zero trust.
As a result, depending on how dependent you are on bespoke apps, this will decide whether or not you can embrace zero confidence in those processes and the time and money involved. It is especially true when programs are not microperimeter-compatible or lack the application programming level interfaces necessary for automation.
Legacy Software
Legacy apps, infrastructure, and operating systems are not zero trust aware. They have no idea of least privilege or lateral mobility, and they lack authentication frameworks that allow for dynamic changes based on context.
Peer-to-Peer Networking
If you believe your firm does not employ peer-to-peer (P2P) networking technologies, you are probably ignorant of Windows 10’s default settings.
Beginning in 2015, Windows 10 allowed peer-to-peer technology to share Windows Updates across peer PCs to conserve Internet usage. While some organizations disable it, others are unaware of its existence.
This reflects favored lateral mobility between essentially unregulated systems. While no vulnerabilities or exploits for this feature have been discovered, it does offer communications that violate the zero-trust concept. There should be no unlawful lateral movement, even inside a microperimetry.