[By Rob McNutt, SVP Network Security at Forescout]
The greatest threat to zero trust is not among a group of the usual cybersecurity suspects. It is the marketing hype that has led to unrealistic expectations about its capabilities.
The ability to achieve “100% Security” with zero trust is enticing, but it is a fallacy. The idea that organizations can purchase “zero trust in a box” as some sort of plug-and-play solution is misleading at best. Likewise, deploying zero trust takes time and ongoing management, you cannot “set it and forget it.”
Let’s dispense some of these misconceptions that can negatively impact an organization seeking to implement zero trust. It is time to bust some zero trust marketing myths.
Myth #1: Zero Trust is a Product You Can Buy
Contrary to marketing claims, zero trust is not a product that can be purchased off the shelf. It is an architectural approach that includes multiple aspects. According to the National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency’s (CISA) Zero Trust Maturity Model, the pillars of zero trust include identity, device, network/environment, application workload, and data.
Each one of these pillars has its own unique challenges and requirements, which may necessitate multiple solutions to address. For example, zero trust networking requirements include authentication and authorization, least-privilege access, and continuous risk assessment. Various solutions, including multi-factor authentication (MFA), identity and access management (IAM), network segmentation, network monitoring, and zero trust network access (ZTNA) contribute to achieve these requirements.
Unfortunately, ZTNA has been overhyped to the point that it is negatively impacting zero trust networking and zero trust as a whole.
Myth #2: Zero Trust Network Access Provides 100% Network Protection
Zero trust networking is a crucial component of a zero trust architecture; however, the industry’s attempt to market ZTNA as an all-encompassing solution conflates its role within the larger framework.
While ZTNA provides initial access control, it falls short in offering continuous visibility and control once access is granted. ZTNA can also fall victim to compromised credentials and insider attacks.
The reliance on software agents and decryption of endpoint traffic creates management complexities, especially concerning the diverse landscape of the Internet of Things (IoT) and operational technology (OT) devices.
Education is key to dispelling marketing claims about ZTNA. Understanding the hierarchy of terms—zero trust networking, ZTN, and ZTNA—reveals that ZTNA is just one component. It offers access but lacks the broader visibility and control required for a comprehensive zero trust architecture, it does not even provide complete zero trust networking.
Myth #3: Zero Trust = Zero Risk
There is a notion that implementing zero trust removes risk from the equation, but unfortunately this is not the truth. Hypothetically speaking, a perfect implementation of zero trust could eliminate almost all risks, but the reality is that perfection is impossible to achieve.
Implementing zero trust is a complex and on-going process because there are so many interconnected parts. There are very few organizations that have achieved a fully mature zero trust implementation. But even among those that have, it can be difficult to account for blind spots and to close certain security gaps.
In particular, gaining visibility and control into unmanaged devices, OT devices, and IoT devices can represent a significant risk, even for organizations that have implemented zero trust solutions. Without visibility into all devices and endpoints, their collective vulnerabilities and exposures remain unknown.
The dynamic nature of modern threats, and the constant evolution of the modern enterprise network, requires continuous risk assessment and refinement of zero trust policies. Another reason that zero trust cannot completely eliminate risk is because of the trade-off between security and productivity.
If the user experience is hindered by zero trust, then users may resort to less secure methods, such as shadow IT, creating unknown risks due to a lack of visibility. However, if zero trust policies are too relaxed, then compromised user accounts become an effective attack vector.
Organizations must strike a balance between zero trust security and the user experience by leveraging comprehensive visibility, which can provide the additional context needed to enforce zero trust policies without negatively impacting productivity.
One-Size Fits None
Zero trust is not a simple solution, it is a comprehensive framework that requires careful consideration. It comprises multiple pillars, each addressing crucial aspects of security. The integration of insights from multiple sources illustrates the importance of dispelling zero trust marketing myths to better understand its nuances.
By approaching zero trust with a realistic mindset and acknowledging its multifaceted pillars, organizations can fortify their cybersecurity posture in an era where marketing claims often overshadow the true essence of transformative technologies.