Feb 01 2024

3 Mistakes Experts Often See in Zero-Trust Initiatives

As businesses scramble to adopt cybersecurity models without perimeters, IT and security teams should first learn from others’ mistakes.

Industries undergoing digital transformation rely increasingly on massive amounts of data to propel every facet of business. As that seismic shift collides with today’s rapidly evolving threat landscape, zero trust’s always-on approach to cybersecurity has become a requirement — not just a nice-to-have — for businesses of all sizes.

The zero-trust security model offers greater protection against remote exploitation than traditional perimeter-based security because it requires every user and device that accesses a network to authenticate identity and authorization. The approach was implemented by the Department of Defense and other highly secure environments in 2020, but the model has rapidly gained adherents across many industries since that time.

John Candillo, field CISO for CDW, has spent more than 20 years working in cybersecurity, providing executive guidance on risk, governance, compliance and IT security strategies. He recently shared insights about the top three mistakes he sees companies make when adopting the zero-trust security approach.

Click the banner to learn how to overcome budget hurdles to zero trust success.

Mistake No. 1: Thinking Zero Trust Can Be Installed

A zero-trust security framework is not a product that can be licensed or installed. It is a strategy that defines a holistic approach to cybersecurity that shifts the traditional network security focus from protecting a perimeter to protecting assets and users.

“Zero trust is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets and resources,” according to the National Institute of Standards and Technology’s Special Publication 800-207. “A zero-trust architecture uses zero trust principles to plan industrial and enterprise infrastructure and workflows.”

NIST adds that zero trust has been made necessary by a number of trends in recent years, including an increase in remote workers and bring-your-own-device policies as well as the growth of cloud-based assets located outside organizations’ own perimeters. SP 800-207 notes that “zero trust focuses on protecting resources (assets, services, workflows, network accounts, etc.), not network segments, as the network location is no longer seen as the prime component to the security posture of the resource.”

The Cybersecurity and Infrastructure Security Agency (CISA) spells out five pillars of a zero-trust model: identity, devices, networks, applications, workloads and data. By far, identity and data governance serve as the model’s cornerstones; any zero-trust initiative must prioritize identity and data access controls, Candillo says.

In a zero-trust environment, that verification happens continuously, ensuring that even when bad actors somehow gain access to a network, they can’t hang around for long.

Mistake No. 2: Ignoring User Experience Quality

Implementing a zero-trust framework typically requires shifting a business’s philosophy around cybersecurity, says Candillo. Often, organizations embark on a zero-trust journey thinking they can continue to use “their old siloed teams and management styles, isolating security teams, network teams, application teams and system administrators,” he says. “A successful zero-trust transformation also requires a cultural transformation.”

Beyond ensuring that essential teams work in tandem to implement the approach, thoughtful consideration must be given to users and their experiences engaging with or working for the business. User education and opportunities to make users part of the solution help create “a culture where securing company assets and customer data is a top priority and taken very seriously by everyone,” Candillo says.

John Candillo Headshot
A successful zero-trust transformation also requires a cultural transformation.”

John Candillo Field CISO, CDW

Ultimately, when users aren’t satisfied with the tools required or with their experience in gaining access to resources, they’ll turn elsewhere. For employees, that may involve reliance on outside software or tools. Customers, on the other hand, may simply turn to a competitor to purchase the goods or services they need.

Mistake No. 3: Failing to Set Effective Policies for Accessing Data

As a business’s zero-trust adoption matures, getting a handle on the data or resources that specific users need can be an ongoing challenge — but it’s not an insurmountable one.

When every user, piece of data and device is considered an asset to be protected, IT teams can no longer rely on manual network inventories. Cloud-native network management and inventory management tools provide real-time insights and visibility on use, helping teams set priorities and appropriate access privileges.

READ MORE: Learn how businesses can keep endpoints secure.

“Combining due diligence around access governance and implementing things like behavior analytics and adaptive authentication can be steps in the right direction,” Candillo says. “Don’t try to achieve 100 percent zero trust across the entire enterprise in the short term. Instead, after you’ve laid the foundation, focus on locking down a specific so-called protect surface, or a group of critical systems or assets you are trying to protect.”

Dean Mitchell/gettyimages
Close

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT