If you haven’t adopted a zero trust strategy, what are your reasons for not doing so?
Sort by:
We have implemented components of ZT such as network logging, basic PAM, and some rudimentary SIEM functionality. IMO there are a number of challenges to implementing a full ZT stack, much of which has been addressed by the others:
1. I don’t think anyone actually knows what ZT means. Conceptually yes, but the devil is in the details. I believe this is because its origins stem from an amalgam of things conveyed by different security vendors.
2. It is expensive. If you go with a gold-plated suite it can cost millions. The case for ROI is nebulous and related to “better security” but you’re ultimately trying to prove a negative. As you start to add in additional layers you invariably have tools that overlap and it becomes increasingly harder to justify the costs unless you actually have a large breach (assuming it doesn’t happen while you are implementing ZT in which case it could be counter productive).
3. You can buy tools but strategy and processes cannot easily be purchased. Hiring consulting firms often ends up with people telling you what you want to hear (I say this as ex-consultant) and people often overestimating how much can be done with existing resources who have often times been conditioned to work in a siloed environment that doesn’t require the nuance of ZT (unless you block everything which defeats the purpose).
4. It is impossible to implement when you aren’t dealing with users. Open PKI infrastructure simply doesn’t exist in the IoT world, where security is years if not decades behind traditional IT security.
5. Finally, do you really need it? Basic PAM, MFA, and SSO can often delivery very quick ROI. Same with a tuned awareness program. As per the process comment above there is a lot of work in implementing a full ZT strategy and much of this requires things like GRC, DLP, a tuned SIEM, etc. but in many cases these may increase complexity and result in a lot of underutilized tools sitting around. The more legacy infrastructure and tools you have in place the more difficult this becomes as people often have no idea what does what and risk aversion gets in the way of progress.
In summary my concern is that buzzwords like ZT get thrown around as cure-alls when they should really be viewed as a starting point but ultimately become meaningless if you don’t right size the work based on your goals, resources, and ultimately business value. If you take ZT at it’s absolute extreme I suspect one would be hard pressed to actually say that a soup-to-nuts implementation is worth the effort over one that focuses on the best risk-adjusted ROI.
The core challenge of zero trust is locking down access without bringing workflows to a grinding halt. Zero-trust cybersecurity may eventually lead to superior security, but along the way, it can put companies at greater risk.
Implementing a comprehensive Zero Trust strategy (rather than a smaller piecemeal approach) will require a thoughtful planned and non-disruptive approach to completely redesign network and security strategy, rewrite policies and documentation and an awareness campaign. Some parts can be implemented earlier in stages and in conjunction with other initiatives -- such as MFA and other strong identity and authentication, NAC/posture-checking, migration from on-premises data center services to the cloud, migration from on-premises networks to work-from-home or work-from-anywhere.
Investment, Strategy, Customer, Supporting systems, etc.
Partially adopted