kras99 - stock.adobe.com
IT service execs point to 5 core zero-trust questions
A partner-customer dialog around zero trust should focus on the basics of organizational awareness, upskilling, funding, technical tooling and user experience.
The work-from-anywhere trend and the nonstop danger of cyber attacks have pushed zero trust up the list of IT priorities.
Professional services companies, MSPs and systems integrators see rising interest in zero-trust engagements as customers ask for technology and business advice. Implementing the zero-trust security model can help enterprises become more resilient, boost security visibility and limit damage in the event of a breach. But IT services executives should also anticipate plenty of challenges as organizations take on potentially disruptive security initiatives.
Here are five essential zero-trust questions consultants believe organizations should consider and discuss as they move toward that model. The resulting dialog can help smooth the path of adoption.
1. Does the customer understand the zero-trust framework?
Belief in zero trust as an off-the-shelf purchase is a common misconception, and one that can derail initiatives from the start.
David ChouDirector of cloud capabilities at Leidos
"The No. 1 challenge is everyone thinks zero trust is something you can buy," said David Chou, director of cloud capabilities at Leidos, a technology, engineering and science solutions and services provider based in Reston, Va. "I can go and find this product and I'm done with zero trust, right? Unfortunately, that's not true."
The task involves more than shelling out money on new technology.
"You actually have to dig down a couple of levels deeper," Chou said. That means potentially modifying how the organization operates in addition to upgrading certain security technology stacks, he noted.
"Zero trust cannot be implemented as a single product," added Mushtaq Ahmad, senior vice president and CIO at Movate, a digital technology and customer experience company with headquarters in Plano, Texas. "It's a framework of policies."
To arrive at a zero-trust architecture, security controls derived from those policies must be applied across users, devices, networks, data and applications, Ahmad said. Organizations that fail to grasp that will end up with a "poorly deployed zero-trust architecture," he added.
2. Is the customer ready to provide enterprise-wide training?
Misunderstandings of zero trust stem from a lack of organizational awareness. That makes education and training critical for successful initiatives.
"The pointy tip of the spear has always been upskilling and training," Chou said. "We realize that when folks don't have a common understanding of zero trust, it makes it very difficult to have conversations and work through different iterations of how we could potentially deploy zero-trust principles."
Leidos integrates training within its Zero Trust Readiness Level tool suite, which provides customers a roadmap for adoption.
The zero-trust journey requires changes in people, as well as process and technology, Ahmad said. So, preparing the entire organization for the adjustments ahead is important to achieve stakeholder buy-in and acceptance, he said.
Chou also cited the scope of education and training as a significant component of zero trust.
"We make sure that not just engineers, but folks in policy, security, even procurement and finance, are up to speed on what zero trust means for the enterprise as a whole -- and how that could impact the way they do their work," Chou said.
Jay Martin, security practice lead at GreenPages, an MSP based in Portsmouth, N.H., said awareness training can extend to external partners as well as employees: "Are you making the folks that work in the organization and contractors aware that you have these policies?"
Quarterly training -- with quizzes to reinforce the key points -- is "one method to ensure that those policies are being understood," Martin said.
3. Is the customer willing to commit funding?
"One challenge is budget," Martin said. "Nobody wants to be the next newspaper headline. However, you have to look at the risk in the organization. How much are we willing to spend for those risks?"
Martin said companies tend to want to do everything at once to protect themselves, an unreasonable expectation. "Nobody can do that," he said.
The task then becomes creating a practical zero-trust journey that lets customers mature within that model, over time. The question customers must ask, according to Martin, is "what can we do now, with the budgets that we have, to make us safer and help us move toward the eight control areas within zero trust?"
Those eight areas are outlined in the U.S. government's Cybersecurity & Infrastructure Security Agency's Zero Trust Maturity Model.
4. How will the customer fit security tools within the zero-trust model?
The plethora of tools available within each cybersecurity subcategory is another issue that customers must address. Cisco, citing industry and vendor research, recently stated that small businesses often use three to six tools, while larger enterprises might use up to 100.
An enterprise using Microsoft Intune for mobile device management might want to add a security platform such as Zscalar and a specialized tool such as Jamf for Apple device security, Martin noted.
"How do all these technologies play, without overspending and overlapping too much, so that they're working toward that zero-trust model?" Martin asked. "That's a huge puzzle to put together for customers [and] another big challenge."
Businesses using a multitude of security products run the risk of taking a siloed approach to zero trust, Ahmad said.
"Many companies approach zero trust as a product replacement with more capability, but the products operate as islands with limited integration," he said. "This results in gaps in security controls."
He said zero trust requires changes across processes, tools, hardware and architecture, noting those changes must proceed hand in hand.
Pursue zero trust amid digital transformation?
While zero trust and digital transformation typically follow parallel tracks, they have much in common.
Both are far-ranging programs that encompass business and technology -- and each one can prove disruptive to enterprises. So, does it make sense to pursue zero trust when the organization is already prepared to overhaul technology and business models?
Service providers believe that approach has potential.
Greenfield implementations offer a better opportunity to build processes and deploy technologies -- from the ground up -- that support zero-trust architecture adoption, Ahmad said. An application transformation activity that involves microservices and microsegmentation provides the space to adopt zero trust as part of the architecture design, he added.
Martin said a digital transformation effort can be a great time to pursue zero trust. But a business shouldn't hold off until a project surfaces.
"I wouldn't wait for that because the attackers aren't going to wait," he said.
5. Is the customer keeping user experience in mind?
A security program that creates friction for users is one that users will push back on. The same holds true for zero trust.
"If not designed properly, zero-trust architecture can become very restrictive, limiting employee productivity," Ahmad said. "It's important to introduce [the architecture] slowly, with proper testing to increase the adoption, especially in a legacy network."
Organizations should keep a dual focus on meeting security mandates and improving the user experience, Chou advised.
"It's a multigoal sort of effort," he said. "It's really about making sure that, if you implement zero trust, there's a better experience for your users."