By Eric Trexler, Senior Vice President of U.S. Public Sector at Palo Alto Networks
Today’s zero trust conversation has matured since it was originally popularized in 2010 by John Kindervag, one of the world’s foremost cybersecurity experts and a Palo Alto Networks alum. Although the urgency and capabilities for zero trust have exploded in the last five years, heightened by the transformation of the remote workforce as a result of COVID-19, a stubborn gap remains between comprehension and implementation.
The key to this is how we approach zero trust — we need to stop buying tools and instead approach the protection of our enterprises as a holistic organizational challenge. Zero trust adoption is taking too long and too often falls short; it’s time to accelerate our efforts or else we’ll still be talking about consolidation and security tool integration another 10 years from now. For us to take this next step, it’s helpful to understand why and how zero trust came to be.
The origins of zero trust
COVID-19 shifted zero trust from a “want to have” to a “have to have” as the workforce, especially white collar workers, shifted to a fully remote work environment.
In the year leading up to the concept’s birth, the 2009 Operation Aurora cyber attacks, a series of cyberattacks from China against the U.S. private sector, created an urgency to allow remote work without the use of a VPN. But after COVID-19, organizations went from needing to manage and control a singular network to helping manage many remote work environments for employees, pushing us to where we are today.
COVID-19 put our network security risks on display and consequently led to the adoption of zero trust architecture in the public and private sectors, as affirmed by President Joe Biden in his 2021 Executive Order on Improving the Nation’s Cybersecurity.
The current status of zero trust
Although zero trust implementation is gaining traction, rearchitecting networks to achieve zero trust is not so straightforward. Especially when it comes to small businesses and state, local and education actors, it is difficult to find the resources and time to implement sizable security programs. A recent survey found only 59 percent of information technology leaders have a zero trust security strategy, while 72 percent of government agencies are utilizing ZT frameworks.
One important resource is the National Institute of Standards and Technology guidance for zero trust architecture standards for the public and private sectors, which provides credibility and guardrails for what zero trust is and does. This includes NIST’s updated SP 800-207 document (August 2020) which contains general information about zero trust architecture and deployment models — much needed guidance for organizations with a newly remote workforce.
We’ve all seen the damage a cyber attack can do and there’s no doubt cybersecurity conversations continue to consistently arise in boardrooms and government agencies. Yet effective zero trust implementation requires a shift in thinking; rather than relying on a portfolio of different siloed technologies, it introduces holistic security and calls for defining concrete outcomes and constructing end-to-end programs with clearly defined success criteria. This does not mean relying on one autocratic vendor to provide your OS, applications, cloud, identity and security, but instead focusing on a security platform that is extensible and interconnected, capable of working with identity providers and critical security tools.
Taking zero trust to the next level
Consolidation, integration and acceleration are fundamental to creating an environment where adoption of zero trust architecture is possible for organizations big and small alike, as they play catch up to secure their networks for the remote workforce and increasing sophistication of cyber attacks.
Current efforts are not working, they are simply not keeping up with the adversary. The time is now for organizations to focus on reducing the number of tools and vendors they use. Security teams can suffer from unclear objectives, a lack of business focus, shifting requirements, unaligned teams, and rising costs combined with lowered results. By identifying desired outcomes, you can procure better and more holistic technology and platforms for the network security you need instead of keeping your security in siloes.
Security vendor sprawl is expensive and inefficient and in recent years companies have realized the added difficulties aren’t necessary. A recent survey found that 34 percent of respondents listed “too many security vendors” as their biggest challenge in managing cybersecurity, and a recent Gartner study found that in 2022, 75 percent of organizations were looking to consolidate their vendors due to concerns about “operational inefficiencies and the lack of integration” of their security products, compared to ~30 percent just two years before. The Department of Defense’s zero trust journey is a good example of how consolidation can powerfully simplify core processes and enhance an organization’s front line of defense.
Zero trust architecture deployments are desperately needed in both the private and public sectors. For the private sector, reporting and expertise is limited and the actual number of breaches is higher than we know. Private companies have sensitive data too, and it’s not just about protecting U.S. business but our workers as well, and lacking secure cyber practices puts both at risk. For state and local communities, resources are incredibly lacking. We need more initiatives and grants going to states to help equip their communities and critical infrastructure against cyberattacks, like what happened in Dallas and numerous other cities.
Zero trust architectures, like building architectures, are merely designs or plans. Without careful, well-thought-out implementation, they can reflect our wildest dreams or fail to live up to the desired expectations. Cost, capability and time matter. It’s important to have a solid plan and begin execution, as even the grandest design poorly implemented is not always the best answer.
As cyberattacks increase in severity and quantity, every day matters in securing our sensitive information and networks. We need to prioritize managing strategy and stakeholders, building integrated and focused security teams and deputizing leadership sponsors to ensure these programs are successful. With zero trust architecture adoption, our governments and businesses can be confident in the protection of their day-to-day operations and the health of their networks, but only if they focus and change how the enterprise is secured. If we continue to mature in our approach while treating zero trust security efforts as we would large-scale IT programs, we can close the gap against our adversaries.