In their original designs, cybersecurity solutions distinguished between safe and unsafe networks. The intranet, an organisation’s internal network, was considered safe and its users trustworthy, while everything on the internet was deemed unsafe. When employees were connecting through the corporate intranet, they were given nearly unlimited reach to network resources.
Zero Trust is a set of rules and principles that - as its name indicates - removes such implicit trust. The idea arose in the last decade, as security researchers questioned whether any network, system or user could be trusted. Since then, the idea has spread and developed into a fully-fledged, though fragmented, set of measures and technologies. Zero Trust begins with the assumption that devices and networks are already compromised, or will eventually be, wherever they are. For this reason, Zero Trust is more than just a group of rules and techniques. It represents a genuine change of perspective for the whole industry, by moving the focus on security away from location and zones towards protecting assets and data. One of the pillars of Zero Trust is the principle of least-privileged access, which limits access to network resources and data to what is strictly necessary for each specific user or system to perform its tasks.
Zero Trust is gaining traction as cyber-attacks and work habits evolve
Although Zero Trust as a concept emerged nearly a decade ago, organisations have begun massively embracing some of its components, as cyber threat actors are increasingly targeting employees and supply chains to infiltrate organisations from the inside. The increase in remote working and use of personal devices during the Covid-19 pandemic is accelerating the deployment of Zero Trust measures such as multi-factor authentication (MFA).
Following a series of severe cyber-attacks on public and private sector organisations, the US White House released on 12 May 2021 an Executive Order “on Improving the Nation’s Cybersecurity”. In addition to improving the sharing of threat intelligence and enhancing detection and remediation of cyber incidents, the Order mandates the adoption of cloud-based services and Zero Trust Architecture (ZTA). The Order does not provide specifics but recommends measures described by the National Institute of Standards and Technology (NIST). Some US armed forces and federal agencies have already begun incorporating ZTA principles into their cybersecurity strategies, but this Order represents the first step toward a common understanding and harmonization of what ZTA implies. The ZTA section of the Order only concerns government agencies, but private organisations are quickly adopting baseline ZTA measures.
A fragmented adoption...
ZTA is not something that can be simply plugged in and turned on. It is a change of approach that requires revamping hardware, software, policies and training. As such, ZTA requires time and effort to be implemented fully and efficiently. This means ZTA faces numerous challenges: The existence of legacy systems and dependencies, and the sheer scale of the changes it requires, are some of them. Looking at existing ZTA initiatives, it appears that the lack of financial and human capital constitutes the first constraint to ZTA adoption. In addition, internal resistance to change can slow down operations. An overhaul of policies, systems and habits rarely comes easy.
For all these reasons, ZTA adoption often takes place after a lengthy transition process. Depending on the size of the company, the resources committed, the complexity of the IT systems, and employees' resistance to change, ZTA can take from months to years to be fully implemented. The US Department of Defense ZTA plan, as one example, segments its strategy in various maturity stages:
Level 1 - includes requirements for MFA, least-privileged access control, and encryption, among other things.
Level 2 - upgrades security with complex measures including network micro-segmentation, federated identities and human behaviour analytics.
Level 3 –the most advanced stage with machine learning analytics and an individualised access control policy takes ZTA to its full extent.
Fragmentation can also be geographic: while 44 percent of companies in the US polled by Microsoft were fully compliant in 2021, only 19 percent were in Germany.
...for a fragmented standard
The lack of a universal ZTA standard is another reason for this phased deployment. In the US, many organisations have not adopted the NIST Zero Trust standard 800-207. Though only created in 2019, it is likely to become the go-to standard. Other organisations are either relying on other models or have designed an in-house model. This diversity of standards generates confusion and unnecessary complexity to an already difficult task. In Europe, no ZTA standard exists, even though two-thirds of companies are planning to adopt ZTA to some extent. The EU Cybersecurity Act has established an extensive certification framework, but ZTA specifics remain in the consultation stage, with many stakeholders involved. The EU Cybersecurity Agency published the first draft candidate in May 2021. Key technologies such as cloud, 5G and the Internet of Things will be subject to greater requirements, of which ZTA will undoubtedly be a part.