Over half of all organizations reported that they had installed zero-trust networks, according to an industry survey carried out late last year. Managing the security risk of distributed edge networks was a major driver, and in some cases, there were productivity gains for both IT and end users since on-ramping and off-ramping IT assets and network users became more automated.
But implementing zero-trust networks is still a learning experience for most IT departments and for end users, too.
Here are five major challenges:
#1) Zero-trust means rethinking your network architecture
Given cost and time-to-implement pressures, it can be tempting to install zero-trust networks in a piecemeal, ad hoc way.
The problem with piecemeal approaches is that one-off implementations can create connectivity and security gaps in your overall network topology.
Solution: A better approach is to revisit your existing network architecture. What needs to change in order to implement zero-trust networks? Do you want to maintain a single end-to-end network, or does it make more sense to break your network into several micro networks that are deployed for specific edge applications only (e.g., running factory automation)?
Do you run your zero-trust networks entirely on-premises, or does it make more sense to use a SASE (secure access service edge) cloud provider to help with the management of your edge zero trust? If you choose a SASE, you can detect incoming security threats in the cloud and contain them there before they ever hit your network. On the other hand, using a SASE costs money. There are also integration issues that are bound to surface when you try to integrate the SASE with your existing networks and systems.
#2) Zero-trust means gaining familiarity with new tools
Zero-trust networks come with a technology learning curve. If you choose to segment your network into a series of smaller, self-contained networks, there are tools that must be used to do this. There are also tools that define the perimeters of your zero-trust networks and that are specific to the SASE organization that you may choose to use.
Depending on the operating systems, platforms, devices, and cloud services providers that you employ, there will additionally be tools specific to the user authentication process, such as multi-factor authentication (MFA), single sign-on (SSO), security monitoring systems, and even device approval systems. IT is likely to find some knowledge transfer between these tools and what IT has already been using, but there will be new areas and techniques to master and document, too.
Solution: When evaluating zero-trust solutions, ask vendors to profile their tools and then request a trial to see if the tools are easily mastered and applied. This will give you a sense of what the learning curve will be for IT so you can factor this into your implementation plan.
#3) Zero trust doesn't work with every IT asset
Many legacy systems have their own in-built security and perimeters. These might clash with the security and perimeters that zero-trust networks use. An end result is that there might be gaps or complications in applying end-to-end security.
Solution: In most instances, legacy systems are running because they still produce value, and they are costly to replace. If you must use them on zero-trust networks, you will need to assess the security gaps and conflicts between the legacy systems and the network and resolve these.
In some cases, it might be possible to use different platforms for the legacy systems that are more compatible with a zero-trust network.
#4) Zero-trust networks can become a political issue
You can’t implement a zero-trust network without user cooperation and support.
It is users who will define who gets access to which applications on the network and how far each access (or permission) goes. Based on this input, which should minimally be revisited on a yearly basis, IT can begin to set rules for multi-factor authentication.
Users might also complain about adverse productivity because of new network "red tape." Suddenly those who were using certain applications might find themselves locked out of them. It might also seem clumsy and time-consuming to go through laborious multi-factor authentications every time you want to use a network.
If this frustration builds, IT can find itself embroiled in a political situation.
Solution: A good way to start with zero-trust user policies and practices is to start with what you already should be doing: reviewing on an annual basis who gets access to what (and how much access) in each user department.
The good news is that users, as everyday citizens, are already used to multi-factor authentication in the commercial and financial marketplaces, so a company transition to a multi-factor security environment won’t come as a total surprise.
Users will also be concerned about the perceived loss of productivity since some will suddenly find themselves locked out of applications they had been using, and everyone will be subject to lengthier and more complex network sign-ons.
Because of these user sensitivities, IT should plan to coordinate with HR and also with upper management. If there is trepidation on the part of any of these parties, the zero-trust initiative should be paused until there is universal concurrence and backing of zero-trust networks.
#5) Zero-trust networks require a new maintenance strategy
Zero-trust networks are being implemented by companies because companies want to strengthen their security. However, unless security authorizations are continuously maintained, new edge devices are properly configured to enterprise-level security standards, security updates to hardware, firmware, and software are diligently and timely made, security policies and procedures are developed and trained throughout the company, and all IT assets on zero-trust networks are monitored and tracked by asset management software, it will be hard for IT to maintain these networks.
Solution: IT should work hand in hand with HR, management, and end-user departments to ensure that user authorizations and permissions for various IT resources on the network are up to date. When employees join or leave the company, authorizations should be activated or shut down. On the IT asset side, an asset management system working alongside zero trust networks can immediately detect when an asset is added, subtracted, or modified on a network. This alerts IT to possible unauthorized activity.
Finally, at least at the start, IT (and the company) should invest in a third-party audit of edge and zero-trust technologies, security, policies, and documented practices to ensure that nothing is missed. Most likely, an audit will reveal some gaps in technology, security, policies, or practices that IT can easily correct.