Zero trust adoption is beginning to accelerate as networks get more complex. Gartner predicts that by 2026, 10% of large enterprises will have a comprehensive, mature, and measurable zero-trust program in place (compared to just 1% today). But adoption has been slow; according to a 2023 PWC report, only 36% have started their journey to zero trust. What’s the hold up?
Integration and configuration at scale for zero trust is no small feat. From managing user experience (UX), to resource constraints and the cultural change required for adoption, zero trust can just be challenging.
Historically, zero trust focused on networks and identity access but, over time, it has become a comprehensive approach to cybersecurity that requires a more holistic view of an organization’s IT infrastructure. Where zero trust previously rejected the notion that endpoints had a role, because the “perimeter no longer mattered,” those working through implementation now see that endpoints are a crucial component to a robust zero trust strategy.
While every enterprise is different, there are some common roadblocks that slow the adoption process. In this article, we’ll offer up some tips to overcome these challenges.
Zero trust adoption tips
Most organizations’ IT infrastructure comprises two crucial components – networks and endpoints. Think of the network as roads and the endpoints as the destination for attackers. These can include servers, virtual machines, workstations, desktops, laptops, tablets, mobile devices, and more. And they run multiple applications, store and manipulate data, connect to other data sources, etc.
Cybercriminals strive to attack and control these endpoints when diving deeper into enterprise networks. From there, they can gain additional credentials, move laterally, maintain persistence, and eventually exfiltrate data. Because these endpoints are in constant use (and their numbers are growing), it can be challenging to secure them. Layer on top misconfigurations, which accounts for approximately a quarter of endpoint compromises, and it’s clear that security teams need a more holistic security framework.
Let’s dive into the tips. While this is not a comprehensive list, hopefully it will help you and your team overcome some of the initial heartburn associated with zero trust adoption for endpoints.
1. Break down information silos and consolidate technologies where you can – Organizational structures that don’t support deep collaboration between IT and security will only exacerbate concerns about increased attack surfaces and worsen challenges around compliance requirements. For zero trust success, teams must break down information silos and share data across teams and solutions. Beyond the zero trust benefits, consolidation can significantly reduce the cost of maintaining multiple systems and greatly improve efficiency by reducing the complexity and redundancy of numerous tools for a single task.
2. Maintain a comprehensive asset inventory and get complete visibility of endpoints – You must know what you have to protect it. While this may seem unnecessary for zero trust approaches where the first rule is to not trust anything, knowing what is under management by your organization versus personal devices enables you categorize how you validate and verify the trustworthiness of the endpoint. Now, this can be difficult, with challenges around complexity, lack of integration, human factors, and cost. But with on-demand asset discovery and real-time asset inventory, you should be able to achieve comprehensive visibility, giving you a clearer idea of endpoints that are actively managed versus devices that should be vetted more carefully.
3. Utilize automated policy-based controls for detection and remediation across asset types – Using staff to manually manage and enforce controls relies on human oversight and intervention to detect and remediate security issues. This is clearly no longer sustainable (especially as an organization scales), as evidenced by the increasing number of cyber-attacks and data breaches. Policy-based rules driven by automation can ensure security controls are consistently and uniformly applied across all assets and user activities. This can also eliminate manual tasks, such as requiring end users to accept a patch or update and restart their machines.
This kind of automated policy enforcement should also help fuel the policy enforcement or trust evaluation engine needed for zero trust implementations. With trusted policy-based profiles on hand, a trust evaluation engine can “ask” questions and assess a device or asset’s security posture. For example: Does it have a firewall on? Does it have the latest approved patches installed? Have any unknown programs been installed recently that have not been scanned with a vulnerability scanner?
As more and more organizations move to implement zero trust, it’s crucial to understand some of the key challenges associated with endpoint security. It requires a shift in mindset, an understanding of the requirements, and a set of tools that can help achieve a successful framework.
Tailoring the zero trust principles to meet your enterprise needs will help accelerate your journey. And hopefully these tips will help. To learn more about practical zero trust implementation guidance, check out some recent research by the National Institute of Standards and Technology and the National Cybersecurity Center of Excellence.