In the last decade, zero trust has been one of the most talked about cybersecurity paradigms. The “Never trust, always verify” mantra behind the zero trust concept of never trusting any device or user in your network and instead verifying every access attempt led to the development of segmentation with a flurry of new verification methods ranging from multifactor authorization (MFA) and single sign on (SSO) to identity access management (IAM), privilege access management (PAM) and more.
However, implementing zero trust is unfortunately more complex than simply buying and switching on any and all of the related products. In addition to integrating them with the existing infrastructure and with each additional product, the zero trust journey demands updating legacy tools, securing expanding collections of data, and overcoming visibility gaps.
This article looks at the most overlooked issues of implementing zero trust.
Shifting Focus: Data Security Over Device Management
Focusing on device management translates into investing heavily in managing detailed asset inventories of approved devices in a network. Significant resources go into auditing, maintaining, and securing these devices.
Yet, in a distributed computing world, sensitive data easily flows beyond just managed end-user devices. Employees routinely upload files to Dropbox, Google Drive, Slack, Monday.com, and other team management programs that are outside the secured network, and unnoticed secured infrastructure weaknesses such as entire data lakes sitting in poorly configured S3 buckets. Critical data can in fact live virtually anywhere, putting it out of scope from traditional device-centric security models.
To truly embrace the secure-by-default ideals behind zero trust, the focus must expand from just hardening authorized devices to directly safeguarding the data itself. This means pursuing data-centric security capabilities like persistent file encryption, rights management controls, and increased visibility into all data repositories - not just those residing on managed devices. It also requires updated assumptions when modeling threats and risks to account for the reality of data potentially living everywhere, not just within device inventory spreadsheets.
Overlooking expansive data security blind spots outside managed devices leave open backdoors nullifying other zero trust access controls around the network edge. Savvy attackers are all too happy to simply bypass difficult checkpoints by going directly after loosely protected data instead.
The Risk of Legacy System Obsolescence
When most organizations began investing in zero trust toolsets several years ago, they represented the cutting edge in cybersecurity. However, the vendor landscape has continued rapid, iterative innovation since those initial purchases. Capabilities considered advanced in 2020 are now simply baseline functionality. Integrations and automation around improving detection, response, and visibility have also grown considerably.
Yet, the time and resources needed to identify better alternatives and refresh zero trust architectures with modern replacements lead to a dangerous tendency of opting to simply renew and carry on with fast-aging legacy tools. While those are still valuable, security gaps can and do emerge between what these dated products address and the actual current threat landscape and business computing environments. Attack techniques and infrastructure complexity have both evolved tremendously even within a few years. Outdated tools develop blindness to emerging attack surfaces and vulnerabilities that did not exist when they were purchased.
Renewal convenience ultimately breeds security risk.
Strengthening the Data Pillar
Discussions around zero trust architecture overwhelmingly fixate on advances in network security, identity and access management, and other edge-focused topics like micro-segmentation. The critical data security pillar, however, remains largely overlooked and under-invested. While access controls offer one layer of protection, inadequate data security itself provides backdoor breaches negating even sophisticated access gateways.
For example, improperly configured cloud databases, mass data stores like S3 buckets, and outdated on-prem file shares continue fueling high-profile breaches through basic missteps. Despite locked-down networks and multi-factor authentication, simple cloud misconfigurations spill data constantly. Failing to actively govern and inventory direct data repositories leaves these soft underbellies for invaders to exploit. Breaches then propagate laterally through trusted access channels inside hardened networks.
To fully realize zero trust ideals, data security requires equal attention alongside identity, devices, and network pillars. Extending visibility and controls directly within and around data stores closes overlooked gaps that access defenses alone cannot solve. This means pursuing capabilities like persistent encryption, data loss prevention, rights management, and cloud security posture management tuned to data risks.
Hard to Fully Visualize All Data
A fundamental zero trust assumption is denying trust to any entities until proven otherwise. Yet, the steady demise of network perimeters combined with BYOD and cloud adoption creates vast data security blind spots even among companies confident in their posture.
When it comes to visualizing where sensitive data might reside, overconfidence risks leading to substantially overestimating actual coverage and control.
Whether employees upload files to unsanctioned cloud apps, undocumented databases spun up for one-off projects, or critical data accumulating in Amazon S3 buckets, sensitive information easily scatters beyond managed knowledge. The less constrained data flows outside traditional guarded channels, the more blind spots emerge. Without comprehensive visibility and cataloging of where data lives and moves, full protection becomes impossible no matter how tightly secured core systems appear.
This expansive unseen attack surface becomes low-hanging fruit for invaders. Despite strong zero trust access controls around known assets, unfettered data movement to forgotten corners of the digital ecosystem offers easy alternate doors for exfiltration and abuse.
Until accurately mapping and accounting for comprehensive data footprints rather than just assumed managed ecosystems, major security gaps will persist subverting zero trust ideals.
Zero trust architecture may be an invaluable cybersecurity evolution, but it is not without limitations. As with any complex IT framework, success lies in the details. Updating tools, scrutinizing administration, centering data protection, and allowing flexibility for new data frontiers, all those are key to extracting long-term value from zero trust. Rather than a one-and-done project, embracing zero trust is an ongoing philosophy.