Resources

Before adopting cybersecurity models without perimeters, IT and security teams should proactively learn from others’ mistakes.

Digital transformation compels industries to leverage massive datasets across every organisational function. This seismic shift, coupled with an ever-evolving threat landscape, elevates zero-trust security from a desirable option to a mandatory requirement for organisations of all sizes. 

Zero-trust offers superior safety against remote attacks compared to traditional perimeter-based security. It achieves this by requiring continuous authentication of identity and authorisation for every user and device accessing the network. Originally employed by the US Department of Defense in 2020, the zero-trust model has seen rapid adoption across various industries. 

John Candillo, a cybersecurity veteran with over 20 years of experience, recently shared his thoughts on the top three mistakes organisations make when implementing zero-trust security. 

1. Organisations Make a Critical Mistake by Not Treating Zero Trust Differently

 Shifting cybersecurity focus from perimeters to users and assets defines the zero-trust security framework. 

According to the National Institute of Standards and Technology (NIST) Special Publication 800-207, “zero trust” refers to an evolving set of security practices that prioritise users, assets, and resources over static network perimeters. 

The rise of remote work, bring-your-own-device (BYOD) policies, and the expansion of cloud-based assets outside traditional perimeters necessitate a zero-trust approach, according to NIST SP 800-207. It emphasises protecting resources like assets, services, and user accounts, rather than network segments, as location is no longer the primary security factor. 

The Cybersecurity and Infrastructure Security Agency (CISA) identifies the five categories of a zero-trust model: applications, data, devices, identity, networks, and workloads. John Candillo highlights identity and data governance as the cornerstones, emphasising the crucial role of access controls for both in any zero-trust initiative. 

Within a zero-trust environment, continuous verification ensures that even if malicious actors infiltrate the network, their access is short-lived. 

2. Organisations Fall Short when Implementing Zero Trust

Candillo argues that employing a zero-trust framework necessitates a fundamental shift in an organisation’s cybersecurity philosophy. Organisations often mistakenly believe they can maintain their ingrained teams and management styles – isolating security, network, application, and system administration teams – when adopting zero trust. Candillo emphasises that effective zero-trust transformation hinges on cultural transformation as well. 

Beyond fostering collaboration among essential teams, successful implementation demands careful consideration of user experience. User education and programs that empower users to be part of the solution are crucial, according to Candillo. These efforts create an environment where everyone understand the securing of assets and data is a top priority. 

Candillo warns that user dissatisfaction with security tools or access processes leads them to seek alternative solutions. Employees might resort to unauthorised software, while customers might switch to competitors for needed goods or services. 

3. Organisations Leave Themselves Exposed by Neglecting to Establish Effective Data Access Policies

Zero-trust adoption presents a continuous challenge: understanding the specific data and resources each user requires. This hurdle, however, is not unassailable. 

When considering every user, data point, and device as a security asset, traditional manual network inventories become obsolete. Cloud-native network and inventory management tools offer real-time usage insights, empowering IT teams to prioritise and assign appropriate access privileges. 

“The right direction involves a combination of access governance due diligence, implementing behaviour analytics, and adopting adaptive authentication,” advises Candillo. “Focus on building a solid foundation first. Don’t chase immediate, complete zero-trust implementation across the entire organisation. Instead, prioritise securing a specific ‘protected surface’ – a group of critical systems or assets – once you have laid the groundwork.” 

Your Cybersecurity – Our Concern 

Your cybersecurity is our concern. Contact us today for a consultation.