Zero trust requires that all users, whether in or outside the organization’s network, are verified and authenticated continuously. This continuous validation, without implicit trust, ensures security configuration and posture before granting access to applications, workloads and data.
The disruption caused by the COVID-19 pandemic and the rapid shift to a distributed workforce has accelerated the need to not just consider, but implement zero trust security strategies faster. Various industry guidelines define zero trust, such as Forrester’s Zero Trust eXtended (ZTX), Gartner’s Continuous Adaptive Risk and Trust Assessment (CARTA), and more recently NIST 800-207. These are viewed as the optimal way to proactively address current security challenges for a cloud-first, work-from-anywhere world.
However, given the hybrid nature of the enterprise IT environment, organizations often face all the complexities of a zero trust security model without any of the benefits, even after a substantial investment in security tools and skilled staff.
Most CISOs understand that zero trust doesn’t function as a single off-the-shelf solution they can implement easily. The cost and complexity of choosing the right set of security tools covering endpoints, identities and workloads in hybrid environments can slow down the enterprise’s zero trust journey.
These complexities can also come in the way of user experience – leaving end users and IT teams disengaged, IT teams overstretched, and enterprise security compromised.
Enterprises should look for AI-powered security cloud solutions to architect zero trust security to ensure trusted access to applications and systems and improve user experience.
Implicit trust doesn’t exist in zero trust
The essence of zero trust security means that organization ‘trust no one, unless otherwise explicitly allowed’ — a significant departure from traditional network security, which followed the “trust but verify” method and implicitly trusted users and endpoints within the organization’s perimeters.
By removing implicit trust, zero trust requires continuous validation of every access to applications and data, from users and endpoints, significantly reducing the blast radius when attacks happen.
Companies can only succeed with zero trust if they continuously monitor and validate that users and their endpoints have the right privileges and attributes to access workloads, applications, domain controllers, and other critical servers. One-time validation, EDR, or even micro-segmentation or antivirus software operating in silos simply does not suffice because the threats evolve on both sides of the enterprise perimeter and user attributes are dynamic, especially in distributed and remote environments.
A complicated, continuous validation process can cause friction, particularly in hybrid IT environments, leaving employees frustrated as the security controls impede productivity.
With the switch to remote work because of the pandemic and the recent software supply chain attacks further complicating zero trust security, companies need to strike a balance between fixing the access for remote and unmanaged endpoints while preparing the existing digital infrastructure to adopt zero trust architecture.
High friction and high cost
Although zero trust principles are effective covering identities, endpoints and workloads, they are challenging for businesses to implement.
Most organizations will run as hybrid entities for some time, relying on a mix of on-premises and cloud-based solutions. Post-pandemic, many workforces will likely remain remote at least for part of the working week as the current model becomes more widely adopted long-term.
In this environment, creating a zero trust security stack can get expensive, time-consuming, and complicated. When implemented in silos, the different tools may or may not integrate and play well together. Finding out what’s going on in different parts of the network or cloud can require two to three dashboards and disjointed reports.
Visibility and control within the network are major challenges. Most organizations may not have a comprehensive view into, or the ability to set protocols around, all users within their network. Thus, unpatched devices, legacy systems, and over-privileged users are a higher risk.
High friction will also continue to fuel the growing threat of shadow IT where departments deploy their own software and configurations as a means of working around centralized IT limitations (or security controls) to enable functionality that is deemed “necessary” for productivity but hazardous to security best practices.
Endpoints and identities together make e-security frictionless
Identity-based attacks play a critical role in most intrusions, as highlighted in the latest CrowdStrike Services Cyber Front Lines Report. It’s becoming obvious that identity controls should become the core for cyber security management.
In response, innovative AI-powered solutions are helping organizations verify identities in real-time with zero friction. They let enterprises segment user accounts (employees, contractors, remote workers, and even privileged users) along with the endpoints into micro-segments, allowing for security policies to protect the most critical (or highly regulated) systems. All connection requests are continuously verified regardless of device location and corporate asset vs. BYOD.
They also reduce the attack surface by extending multi-factor authentication to any resource or application, including legacy and proprietary systems and tools. Rather than being evaluated retrospectively in a log by yet another security system, proprietary artificial intelligence and machine learning capabilities are now making it possible to evaluate user trust before access is granted and triggers identity verification only when risk changes or anomalies are detected. This happens in real-time, using big data to discover patterns, intent, behavior, and incidents, with the system becoming smarter every day.
AI-enabled platforms are helping organizations achieve consistency of cyber security policies, pass security audits for credential management, and shore up their zero trust architecture with seamlessly integrated systems that work together without the need for extensive customization and hours of management overhead.
Narendran Vaideeswaran, senior product manager, CrowdStrike