Five zero trust questions you haven’t asked — but should

Co-authored by Alvin Cheung, Senior Manager, EY Cybersecurity

Understanding what zero trust truly means helps organizations bolster cybersecurity in a dynamic environment of evolving threats.

In brief

• Zero trust is more than a tech tool; it’s an overall cybersecurity paradigm.
• This holistic approach will look different for every organization, depending on how user and asset identity is verified, and other key factors.
• Considering unique business requirements and specific goals at the front end can help build zero trust solutions that provide meaningful business value. 
   

We know zero trust matters. Some 96% of security decision-makers now consider it critical to organizational success. The thing is: many companies are failing to cut through the buzz and get to the heart of what zero trust really, truly means — and that lack of understanding jeopardizes long-term security, profitability and growth.
 

Diving in to ask five key questions now can help any organization go beyond the basics to get a firmer grasp of what zero trust means to a specific organization. And that’s key. So, what haven’t you asked that you should?
 

1.  What does zero trust mean for our organization? 
 

Bigger than a singular technology, it reflects a security paradigm through which any organization can approach and strengthen their cybersecurity program. Put simply, zero trust isn’t rocket science: it’s access. And it will look different from one organization to the next.
 

Think about the ways in which you interact with your own enterprise infrastructure. On any given day, you head into the office, connect to WiFi or plug into a port. Or perhaps you decide to work from home using remote access technologies. Chances are you deploy virtual desktop environments — and probably, a variety of them. Taken together, these scenarios reflect the many different ways the enterprise allows you to access its resources. The question is, are the right controls in place — and consistently applied — to safeguard that wherever, whenever access?
 

Getting to the heart of what zero trust means for an organization requires the enterprise to think through how it verifies user and asset identity, as well as the posture of the endpoint. It means considering how the business applies controls to the network flows that are least privileged, as well as where (i.e., at the perimeter, deep in the data centre, or not at all). Also important: assessing whether threat inspection for allowed network flows are being applied and running through these checks for every single way a person can access any enterprise resource.
 

With those core capabilities defined, organizations can cut out just about anything else that overcomplicates the objectives of zero trust to instead focus on the well-defined requirements that form the basis for zero trust analysis, conceptual models, comprehensive designs and practical implementation.
 

Start thinking about your business requirements and what you want the zero trust solution to provide in terms of business value. Work through legal, regulatory or privacy requirements the design should address. Cast a broad net to identify all user types, consolidate their shared requirements and build patterns that align to zero trust principles. Explore which existing policies and standards should be incorporated. Remember to outline budget allocation, skill requirements and operational considerations at this stage of the planning discussion. 
 

2. How do we bring stakeholders on board to the zero trust business case? 
 

Selling zero trust to stakeholders requires you to showcase the ways this approach can maximize business value. Keep in mind: this is an evolving space. Your leadership may not necessarily understand the benefits of zero trust. Obtaining adequate funding, or avoiding internal friction, may be difficult — but the right strategy means it’s certainly possible.
 

The key lies in your ability to ensure stakeholders understand what zero trust means, how it can be applied and, important, what outcomes they can expect. You’re going to need to illustrate the multidisciplinary nature of implementing zero trust controls and highlight the importance of integrating networking, network security, identity access management, continual posture assessments and automated response through a seamless execution plan to deliver maximum results.
 

Showcasing the threats and threat actors the organization is up against can be a good way to underline the benefits zero trust brings. Drawing a clear mapping to your cybersecurity program’s key performance and key risk indicators will be important. This is how you start to show the tangible improvements zero trust can bring, provide transparency and emphasize the importance of continually improving a cybersecurity program like this. Synergizing the zero trust approach with other programs — such as work-from-anywhere flexibility or insider threats — can help you fully illustrate the benefits of zero trust to help bring key stakeholders on board. 

3.  Are we doing too much or too little? 
 

Ensuring your zero trust scope is well defined and achievable is critical to the overall success of zero trust implementation. You can strike the right balance by assessing your design to ensure the design is neither too ambitious nor overly engineered. Consider whether you’re planning out implementation phases correctly and double-check that initial requirements and timelines are realistic.
 

As we know, many types of actors, both internal and external, access enterprise resources. A zero trust control stack for one kind of actor may not be the right fit for another. At the same time, you don’t want to develop patterns for every single type of user. Focus on identifying key access use cases that involve large groups of users and actors that share the same types of requirements. These will provide your organization with the greatest risk-reduction value.
 

4. Do we know enough about the entire topography to be effective? 
 

For zero trust to work, you must know the topologies of how you provide and grant access to enterprise resources. That means understanding how different actors access your resources from end to end. Examine the variety of ways in which you access resources in your own environment and identify all the security capabilities, controls and configurations to see whether they’re applied properly against a zero trust access model. This discovery process alone will start to illuminate the ways the organization’s topography — at a grander scale — could be punctuated by a huge number of gaps.
 

A picture is worth a thousand words, and the same is true for networks. Keep an accurate, updated map of your entire organization’s network and identify exactly where security controls are being applied. A good diagram removes the guesswork from the equation and makes it easier to pinpoint specific areas where zero trust controls are missing.
 

5.  How can we implement zero trust while also prioritizing core principles of good design?
 

Implementing a zero trust model that’s the right fit for your organization starts by building a target state architecture and using it to evaluate and implement technical solutions. However, it’s not simply about procuring the latest, shiny new security tool. It’s important this process includes basic principles of good, human-centred design.
 

Seamless user experiences can set you apart and allow for a more successful enterprise adoption of zero trust controls. You can drive that uptake by focusing architecture on avoiding the creation of unnecessary security friction that has diminishing security ROI and could become a source of headaches for your users. As part of this process, consider how the design itself can be simplified to reduce points of potential failure, increase manageability for your operations and reduce costs. You want your design to leverage what already works well, while deprecating what doesn’t.