Mistake No. 1: Thinking Zero Trust Can Be Installed
A zero-trust security framework is not a product that can be licensed or installed. It is a strategy that defines a holistic approach to cybersecurity that shifts the traditional network security focus from protecting a perimeter to protecting assets and users.
“Zero trust is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets and resources,” according to the National Institute of Standards and Technology’s Special Publication 800-207. “A zero-trust architecture uses zero trust principles to plan industrial and enterprise infrastructure and workflows.”
NIST adds that zero trust has been made necessary by several trends in recent years, including an increase in remote workers and bring-your-own-device policies as well as the growth of cloud-based assets located outside organizations’ own perimeters. SP 800-207 notes that “zero trust focuses on protecting resources (assets, services, workflows, network accounts, etc.), not network segments, as the network location is no longer seen as the prime component to the security posture of the resource.”
The Cybersecurity and Infrastructure Security Agency spells out five pillars of a zero-trust model: identity, devices, networks, applications and workloads, and data. By far, identity and data governance serve as the model’s cornerstones; any zero-trust initiative must prioritize identity and data access controls, Candillo says.
In a zero-trust environment, that verification happens continuously, ensuring that even when bad actors somehow gain access to a network, they can’t hang around for long.
READ MORE: Modern data platforms deliver efficient government services.
Mistake No. 2: Ignoring User Experience Quality
Implementing a zero-trust framework typically requires shifting an agency’s philosophy around cybersecurity, says Candillo. Often, organizations embark on a zero-trust journey thinking they can continue to use “their old siloed teams and management styles, isolating security teams, network teams, application teams and system administrators,” he says. “A successful zero-trust transformation also requires a cultural transformation.”
Beyond ensuring that essential teams work in tandem to implement the approach, thoughtful consideration must be given to users and their experiences engaging with or working for the agency. User education and opportunities to make users part of the solution help create “a culture where securing company assets and customer data is a top priority and taken very seriously by everyone,” Candillo says.