BACKGROUND IMAGE: jijomathai/stock.adobe.com
The zero-trust model of cybersecurity has been billed as an ultrasafe defense against emerging, unrecognized threats. Unlike perimeter security, it doesn't assume people inside an organization are automatically safe. Instead, it requires every user to become authorized before any access is granted.
This is an attractive proposition in a world where the number of internal threats is growing. One report showed that insider threats are responsible for close to 75% of all breaches -- both accidental and intentional. Companies have made efforts to correct this by turning to zero-trust strategies. But while the zero-trust model offers significant advantages, it's not perfect. Making zero-trust cybersecurity as effective as possible starts by understanding the built-in risk factors.
Abandoning one cybersecurity strategy for another is not quick or easy. This is especially true for large organizations or ones with legacy security solutions in place. Moving to a zero-trust model may be enticing -- even obligatory -- but leaders must also consider the disruption that comes with such a transition.
A piecemeal approach to zero-trust cybersecurity can create gaps
Zero-trust cybersecurity may eventually lead to superior security, but along the way, it can put companies at greater risk.
Most companies customize their own strategies using a piecemeal approach, but gaps or cracks may develop that make zero trust less ironclad than advertised. At the same time, unwinding a legacy solution can create unexpected security lapses.
Zero-trust cybersecurity requires commitment to ongoing administration
Another frequently overlooked obstacle to switching to a zero-trust cybersecurity model is the need for ongoing administration. Zero-trust models rely on a vast network of strictly defined permissions, but companies are always evolving: People move into new roles and change locations. Access controls must be updated each time to ensure the correct people have access to specific information. Keeping the permissions accurate and up to date requires ongoing input.
This is problematic: If controls aren't updated immediately, unauthorized parties could gain access to sensitive information. Imagine, for instance, that someone was fired but could still access internal information for a week. He could have a powerful incentive to go rogue, underscoring the role of speed in a zero-trust strategy. If companies cannot act quickly in these situations, data is at risk.
Zero trust vs. productivity
Introducing a zero-trust cybersecurity approach potentially affects productivity as well. The core challenge of zero trust is locking down access without bringing workflows to a grinding halt. People require access to sensitive data to work, communicate and collaborate. If individuals change roles and find themselves locked out of files or applications for a week, their productivity can plummet. In the worst instances, lost productivity becomes a bigger problem than cybersecurity itself.
Mitigating the risk of zero trust
Zero-trust cybersecurity has its flaws, but it's still the preferred posture for security-conscious companies. The best way to mitigate the inherent risks is to avoid thinking of zero trust in binary terms.
Companies can adopt the zero-trust model without abandoning their legacy security solutions. Start by identifying the most sensitive data and critical workflows. Those can be subjected to stricter access controls, such as multifactor authentication, privileged access and session management. Remaining data is subject to standard perimeter controls, while only the most important information is subject to a zero-trust standard.
Gradually introducing zero-trust security is beneficial because it doesn't disrupt the continuity of a cybersecurity strategy. Companies begin locking down crucial assets, but because they're not entirely abandoning one system for another, they're exposed to fewer threats.
Despite the efforts of the vast cybersecurity community, data breaches continue. To combat this, zero-trust cybersecurity focuses on securing assets themselves, rather than just entry points. As long as companies recognize the risks and rewards of this approach, they can move their security position forward.
Dennis Turpitka is founder and CEO of Apriorit, a software development company that provides engineering services globally to tech companies, including Fortune 500 tech giants. Turpitka's team works and lives in Ukraine.