A recent study for Forrester Consulting found that 83% of cybersecurity decision-makers in Australia and New Zealand see a Zero Trust approach as the future of their firms’ security. However, one in six (17%) had yet to start implementing any kind of Zero Trust program. What’s holding these businesses back, and how can they address that?
Introducing Zero Trust
Businesses face a significant challenge in balancing the operational need for employees to access corporate resources from any device, anywhere, with the security need to protect the network.
The rise in cloud computing and in remote and hybrid working mean that security controls based on traditional perimeters, where those on the ‘inside’ are trusted implicitly and able to move freely through the network are no longer viable.
The security of digital organisations depends on losing that implicit trust and verifying everything before limited access is granted. This approach is called Zero Trust.
The practical implementation of Zero Trust at the network level is Zero Trust Network Access and the following may help to explain why it matters and the steps to take to make your ZTNA implementation a success.
The imperative for Zero Trust
Security strategies have traditionally centred on inherent trust – once a user or system is given access, it’s retained permanently. Zero Trust – the principle of ‘never trust, always verify’ – flips the script by requiring explicit trust. Users must prove their identity and confirm they have a secure and authorised device each time they start a new session. This is all automated, and those who don’t pass will not be granted access to data and applications.
Implementing this approach at the network level, with products or services that provide identity and context-based access controls to applications, is known as Zero Trust Network Access (ZTNA).
ZTNA can be used to manage access to all enterprise resources, including on-premises assets, cloud service providers like AWS, Azure and Google, and SaaS solutions like Salesforce and Microsoft 365. It ensures that threat actors cannot readily access sensitive network resources simply because they have acquired the right user credentials. This is particularly important as attackers are routinely exploiting trusted user identities to breach network defences.
Getting started – what you need to know
A full, enterprise-wide ZTNA rollout is a large project. However, implementation can be highly modular and broken down into manageable steps.
The first phase is discovery: you can’t protect what you don’t know you have. Enterprises need to have a full inventory of their network's users, devices and applications.
Next is understanding the relationships between these assets, which includes mapping out the members and access rights of different user groups, such as HR or finance, and marking out users and administrators. Likewise, there should be a clear view of where applications reside and how they are hosted, whether on-premises, in the cloud, or with a service provider.
Finding the right solution
Once this essential groundwork is complete, it's time to start looking at solutions for the implementation. Careful research should be put into finding the right solutions as the Zero Trust security market is large and growing, with estimates that it is worth more than $24 billion globally.
This means there is plenty of choice, but it can also make finding the right solution amongst all the noise more challenging.
With any hot trend, there will be more buzzwords used across the industry, particularly the ‘suitcase words’ – those concepts that companies will pack their solution into even if it isn’t relevant. Independent guides such as that released in 2022 by NIST can help clarify all the jargon and determine if a solution is suitable.
The ideal choice should be a good fit for your network infrastructure topology and offer a high degree of integration into the existing stack. The right ZTNA solution should dovetail with the organisational infrastructure to establish a single cohesive security posture.
Success factors and key considerations
As with any large project, buy-in from the board is essential for a successful ZTNA rollout. Getting senior leadership on the side from the outset will make it far easier to secure the budget and resources required and enable the project to proceed smoothly. To achieve this, it's best to focus on the value in terms of outcomes for the business, including security benefits and other advantages, such as regulatory compliance.
Consider starting with a small pilot project first when it’s time to start implementation. Small but high-risk groups such as contractors and seasonal workers are a good starting point. A successful rollout here will showcase the benefits of Zero Trust to secure further leadership support and highlight any issues to work out ahead of larger implementations.
It's also worth noting that, while it can be highly modular, ZTNA is still a complex endeavour that takes time and expertise. Bringing in project managers and consultants can help provide more specialist experience alongside your in-house IT and security personnel. Independent advisors should also be vendor agnostic, helping ensure the chosen solutions are the best ones for the job.
The benefits of a successful ZTNA rollout
ZTNA has become a strategic imperative in the face of more sophisticated attacks and escalating breach costs.
First and foremost, ZTNA mitigates the risk of a breach by preventing threat actors from readily accessing the network armed only with stolen credentials.
Granting system access to users in a way that is both easy and secure is an essential competitive advantage today. Even the process of preparing for ZTNA can have a powerful impact. Establishing an inventory of users, devices and applications and mapping out their relationships is a huge boost to security hygiene.
ZTNA enables granular control over network access which can significantly reduce data exfiltration risks and other security threats. Alongside bolstering security, organisations that implement this approach can also unlock new business opportunities. Zero Trust principles strongly align with certifications such as ISO 27001, which are essential for government contracts and in many highly regulated industries.
Certifications can improve an organisation's credibility in the eyes of stakeholders and provide a competitive edge in markets where demonstrating cyber resilience is key to winning - and retaining - business. Achieving certifications and regulatory compliance can also build trust with clients and partners.
One final thought
The most important steps in a Zero Trust journey are the first ones. Those organisations that have taken the time to understand their network and research the right solutions for their needs will be ideally placed to make informed decisions that will maximise both their security and ROI.