Zero-Trust in the Cloud is Hard. Here’s How to Do it Right

The zero-trust era is here–with some complications.

The numbers speak for themselves: In 2022, over half of organizations said they had implemented a zero-trust initiative. That’s twice the number from 2021. Further, president Biden recently ordered all civilian federal government agencies to meet specific cybersecurity standards by September 2024 in support of zero-trust.

However, the acceleration of zero-trust adoption obscures an important fact: Many organizations today are struggling to implement the framework effectively. This is especially true in cloud-native environments, whose nuances have introduced new obstacles for security organizations. Here are a few challenges to be aware of for zero-trust implementations and how organizations can overcome them.

Defining Zero-Trust

At its core, zero-trust means simply that there is … zero trust. Security professionals should automatically not trust anything inside or outside of the network. Zero-trust requires all users and devices, whether in or outside the organization’s network, to be authenticated, authorized and continuously validated for security configuration before being granted access to the network and its applications and data.

While zero-trust is not a new or novel initiative, it has been growing in popularity over the past two years largely due to the impact of the COVID-19 pandemic. Many organizations accelerated digital transformation initiatives and embraced work-from-anywhere policies in response to COVID-19, creating a growing need for more robust security frameworks like zero-trust as access points and resources became more complex and the attack surface grew.

When Zero-Trust Becomes Difficult

Zero-trust is a complex security framework that faces several key roadblocks in its implementation. One of these is navigating legacy technology within your IT infrastructure. In 2022, MIT Technology Review asked global business leaders to share their biggest challenges to zero-trust adoption–46% of respondents shared that the single biggest challenge was replacing their old system and/or integrating the model into their legacy infrastructure, demonstrating a need to make zero-trust easy to navigate without sacrificing on security measures.

Additionally, a Sapio Research survey highlighted other roadblocks, noting that for nearly 70% of security professionals, the biggest hurdle to zero-trust adoption is the complexity of the implementation process. Cost also remains a major challenge, as 60% of those surveyed by Sapio Research said that a limited budget held back their zero-trust efforts.

For anyone who has implemented a new system, these cost and implementation challenges should feel familiar. However, zero-trust represents a new paradigm of information security; no transformation of its complexity is easy to make.

Avoiding Zero-Trust Implementation Pitfalls

For me, there are four principles of effective zero-trust framework implementation.

First, you must know your environment. The Cybersecurity and Infrastructure Security Agency (CISA) created a zero-trust maturity model that includes five pillars for any implementation: Identity, devices, network, applications and data. Simply stated, no zero-trust implementation can begin without a detailed understanding of the full scope of your environment. That means cataloging your assets (software, hardware, data) based on their potential risk and implementing procedures to identify, manage and monitor every user, device and application accessing them and their usage patterns.

Second, build the business case. Identify what is at stake; PII data, reputation, loss of revenue and/or more. Like any other new technology implementation, zero-trust requires both human and financial resources. To win over the C-suite, security leads must go beyond risk mitigation. Instead, I suggest they highlight the many other benefits of the framework, including increased productivity and security for end users and lower costs from more streamlined security frameworks.

Third, it’s critical that you implement zero-trust incrementally. Start by running test trials to ensure deployments are delivering a productive and secure user experience and enhancing incident response capabilities. By focusing initial implementation efforts on an application or team, you can gain deeper insights and learnings as well as iterate versions and updates quickly.

Fourth, choose your tools carefully. To manage a zero-trust architecture, organizations must prioritize tools and processes that offer visibility, application of analytics and automation across the enterprise. This is most easily accomplished by leveraging a unified platform–one that connects your entire zero-trust architecture with a single data model. Through this approach, organizations can seamlessly discover, map, prioritize and respond to potential threats based on their risk to the business. Organizations that don’t embrace a platform approach and instead use various point tools to try to accomplish this often lack the necessary cohesive visibility inherent in platform solutions, leading to inefficiencies that can derail zero-trust initiatives.

Making the Journey Successful

With cyberattacks expected to amount to $10.5 trillion in damages annually by 2025, zero-trust will continue its accelerated adoption as a critical component of a well-secured enterprise. It provides organizations with a powerful and scalable security framework that’s able to protect organizations’ remote workforces and their technology architectures that often span multiple clouds. Organizations, however, must also realize that it is a complex, extended process–one that must be implemented strategically and deliberately to effectively secure the enterprise.