The pandemic pushed 37% of organizations to increase adoption of zero trust, according to a Deloitte survey of more than 595 respondents from organizations planning to adopt zero trust.
Zero trust benefits are praised for protecting assets from any endpoint, but obstacles remain for companies trying to expedite the transition.
It's the "steepness of the zero trust learning curve," fused with the controls and modern technologies needed to support the zero trust framework, organizations are in a bind, said Andrew Rafla, risk and financial advisory principal at Deloitte.
While remote work has existed for at least two decades, companies fell behind on an all-inclusive security solution. At the beginning of lockdown orders, employees and their devices left the secure perimeter of the office. For many companies, the pandemic created a pathway to accelerated digital transformation and zero trust.
"There's no silver bullet product that gives us zero trust," said Bryan Ware, assistant director for Cybersecurity at CISA in the Department of Homeland Security, on a panel during the Billington Cybersecurity Summit Tuesday. "It has to be built and conceived across the enterprise, it will take us some time to get there."
The resistance
The pandemic challenged the end user and its trustworthiness on a scale most companies were unaccustomed to.
Two-thirds of respondents said workforce risk management, including remote work and insider threats, is the primary driver of zero trust adoption. About one-quarter of respondents cited third-party risk management, followed by cloud risk management.
"Zero trust is a conceptual framework that helps organizations enforce the concept of least privilege in a modernized way," said Rafla. It is not a single technology, and instead requires security leaders to "take an incremental and iterative approach that is tied to business drivers."
Undergoing a shift to zero trust is a multiyear, multimillion dollar transformation, according to Rafla. "Modern technologies that support the zero trust concept of least privilege enforce access control decisions at lower layers in the stack." Those lower layer controls are "fundamentally different than managing access control lists" on firewall devices.
Twenty-eight percent of respondents cited lack of skilled professionals and appropriate budgets as their greatest challenge in zero trust adoption. Only 13% of respondents cited an inability "to discern how to get started," or differentiate technologies or vendors are their greatest challenge, according to the report.
Without updated processes and new skills, zero trust efforts fall short. Zero trust, like any other initiative with a hefty price tag, takes convincing. Security leaders not only have to articulate how secure a business is, but what the return on investment is.
"Many executives can simply be resistant to change when they don't understand the downstream benefits, have competing priorities or have trouble understanding where to start," said Rafla.
While more than one-quarter of respondents equally consider the CIO and CISO responsible for directing zero trust initiatives, Rafla recommends having a consensus-driven strategy complimentary of ongoing business objectives. This way CIOs or CISOs can avoid the perception that zero trust adoption is "just another IT security project."
Like other initiatives security leaders pushing, they must be able to convey these points to their C-suite and board, according to Rafla:
- How the solution enables business objectives
- Define what the organization is protecting
- Establish guiding principles for people, process and technology
In an environment where digital transformation is accelerated, "consistent architectural" zero trust principles "should be defined to lay a secure-from-the-start foundation," said Rafla.
Another scenario, where secure remote access is adopted with a zero trust mindset, requires a shift in user experience, though it's a "downstream implication," said Rafla. VPN use will decrease in favor of a model that can authenticate what users can access what applications, data and assets "and nothing more."
