Interest in zero trust is surging, according to IDG’s 2020 Security Priorities Study, with 40 per cent of survey respondents saying they are actively researching zero trust technologies, up from only 11 per cent in 2019.
Meanwhile, 18 per cent of organisations indicating they already have zero trust solutions, more than double the eight per cent in 2018. Another 23 per cent of respondents plan to deploy zero trust in the next 12 months.
But Forrester analyst Steve Turner notes that in his recent conversations with enterprise clients, a good 50-70 per cent completely misunderstand the basic concepts and principles of zero trust “because the marketing hype has taken over.”
He adds, “When we bring things back to reality and tell them where they’re at, there is that five stages of grief around zero trust; the realisation that what you had is not what you thought it was.”
Here are some common myths and misconceptions associated with zero trust.
Myth: Zero trust solves a technology problem
Zero trust does not address a technology problem; it addresses a business problem. “The first step is to sit down and understand what business problem you’re trying to solve,” says Turner.
John Kindervag, the former Forrester analyst who created the zero trust model, also emphasises the need to focus on business outcomes, advising CISOs to get the business involved. “If you don’t know your business needs, you will fail,” he says.
Myth: Zero Trust is a product or set of products
One common misconception about zero trust is that if you deploy identity management, access control, and network segmentation then you have successfully implemented zero trust. Kindervag, currently senior vice-president of cybersecurity strategy at managed security services provider ON2IT, explains that zero trust is not a suite of products or a set of tactics.
“It’s a strategic initiative designed to stop data breaches.” Burkhardt describes it as a “set of principles” that you use to build a secure technology environment.
“Nobody can sell you a zero trust solution,” Accenture CISO Kris Burkhardt adds. “If you’re looking to buy a product to get to zero trust, then you’re asking the wrong question.”
Turner says he has been talking with clients who bought a product with the promise that it was zero trust, but “they didn’t change their approach to anything.” The organization didn’t classify data; it still had employees, vendors, and contractors with excess privileges; it did not identify critical assets or change network flows.
Myth: Zero trust means you don’t trust your own employees
Kindervag explains that the zero trust approach is not aimed at making systems trusted; it’s about eliminating the concept of trust from IT systems. “Trust is a vulnerability that is exploited in data breaches. We’re not trying to make systems trusted.”
This sometimes gets misinterpreted as the company suddenly not trusting its workers. CISOs need to explain that it’s not personal; it’s the equivalent of requiring a key card to enter the building. And the ultimate goal is to prevent data breaches, which affect everyone at the company.
Myth: Zero trust is difficult to implement
Kindervag bristles at the idea that zero trust is hard to do. “That’s the mythology created by people who don’t want you to do it because it will kill their defence-in-depth model.” He argues that zero trust is not complicated and certainly not more expensive than what companies are already doing -- and that’s not even factoring in the cost of a data breach.
Turner agrees that it’s much easier today to implement zero trust: the tools themselves have improved and vendors are now collaborating across product lines. “It’s significantly easier to get things done today with not as much investment,” he adds.
Myth: There is only one correct way to begin the zero trust journey
Over time, two approaches to getting started with zero trust have emerged: from the security side and from the identity management side, says Turner. Some organisations start with identity and move quickly to deploy multi-factor authentication, which delivers “the easiest and quickest wins.”
Other organisations take a network-centric approach, tackling micro-segmentation first, which can be a bit more challenging, says Turner.
Myth: Deploying SASE means I have zero trust
SASE has recently emerged as a popular way to lean into zero trust because it’s a service that puts security controls in the cloud. However, Turner points out that many companies turned to SASE during the chaotic early days of the pandemic to solve the immediate problem of employees working from home.
SASE addresses zero trust at the edge, but as employees move back to corporate offices, organisations are realising that they are still operating with traditional perimeter security concepts. “SASE solutions are not built for hybrid models,” says Turner. “Now organisations need to go back to the drawing board” and apply zero trust as an enterprise-wide strategy."