As cyberattacks continue to ramp up and grab bigger and bigger headlines, implementing a zero-trust strategy is more important than ever, cybersecurity practitioners warn.
“Both show that the problem as we know it is changing. The environment that we have to protect is fundamentally different than what it was 10 years ago,” Taylor wrote in response to questions. “We need a new architecture to protect it.”
Zero trust is the “appropriate architecture to strive for,” particularly when the work model has changed and attacks have evolved to circumvent the traditional perimeter-based network controls that most organizations have relied on, he added.
Cloudflare Field CTO John Engates also expects “zero trust will become a non-negotiable for enterprise” this year. He also predicts “companies of all sizes will increasingly adopt zero trust to secure their networks and applications, and staffing and supply-chain shortages will pressure IT departments to trade deploying and managing boxes for security-as-a-service models.”
These predictions match recent security-spending trends, which found enterprises are investing heavily in zero-trust enabling technologies in response to ransomware threats, a recent Dell’Oro Group report found.
“Interest in zero trust has exploded due to the numerous high-profile security attacks in the recent past that have shown the inadequacy of the legacy perimeter network architecture, particularly for the remote-user use case,” Mauricio Sanchez, research director of network security at Dell’Oro Group, told SDxCentral in an earlier interview.
However, the zero-trust adoption rate remains low. Only 29% of security teams said they’d implemented a zero-trust architecture when asked how they protect against ransomware, a recent report by Cybersecurity Insiders and Forcepoint’s Bitglass.
Zero Trust Isn’t a Tool, It’s a Strategy
The low adoption rate might reflect the fact that many organizations still don’t fully understand what zero trust means or how to implement it.
“The term zero trust tends to be misused or misinterpreted to fulfill the agenda of vendors looking to make their solutions more attractive and compelling,” Riccardo Galbiati, cyber advisor at Palo Alto Networks, wrote in a blog post late last year.
Service providers might list zero-trust network access (ZTNA), software-defined perimeters (SDP), or identity-defined perimeters (IDP) products as silver bullets of a zero-trust architecture without pursuing a zero-trust strategy for the whole enterprise, so “we need to strategically remove implicit trust from IT systems and constantly validate every digital interaction in the process,” he wrote.
“Zero trust can be frothy—it’s a term that marketers love to throw around, so organizations are right to be skeptical when they’re promised zero trust,” Taylor echoed. Zero trust is “not a product. It’s not a set of practices. It’s a way of thinking,” and the core tenet of it is “never trust, always verify.”
He argues organizations should start with figuring out how to verify their users and understand what they should have access to. Meanwhile, Galbiati encourages organizations to approach zero trust with “a strategic mindset, instead of technology adoption.”
In this way, “all the issues and misunderstandings around its nature are bound to disappear, and the ultimate goal of cybersecurity — maintaining business continuity in spite of cyberattacks — becomes a realistic and achievable outcome,” Galbiati concluded.