We talk a lot about Zero Trust architectures (ZTAs) at Yubico because we’d like to see every customer embrace its guiding principle: no user, whether they are authenticating from inside or outside the organization, has implicit trust granted. Additionally, the authentication method must be phishing-resistant and provide signals that attest to the protection of the user credential.
We often see confusion among customers and the marketplace about exactly how to define ZTA. When the rubber meets the road, what are the real-world impacts of ZTA? For example, what does ZTA adoption mean for budgetary decisions like purchasing equipment or software, and how will it alter upgrade schedules?
If you’re in a ZTA planning phase, or even just thinking about beginning one, it can help to identify the most common misconceptions about ZTA. If internalized, these misconceptions can slow down or stop good planning and rollout practices.
- Zero Trust is a product
You’ll see Zero Trust terminology tossed around in product descriptions, but it is not itself a product or feature of a product. Instead, it’s an approach or framework based on best-practice security principles. The principles need to be applied to every project regardless of technology to gain the full benefit of ZTA.
Various Zero Trust architecture methodologies have specific disciplines and cross-discipline capabilities that several different solutions focus on, but they need to work together to ensure access and risk management are efficiently integrated.
- Zero Trust benefits can only be achieved once the framework has been built
It’s better to think about ZTA as you think about healthy eating. It is not a one time diet, but a life choice with various parts that lead to overall better health. You will not be able to effectively run a marathon immediately, but every better health and exercise habit helps improve your overall fitness.
The same is true for the Zero Trust design approach. Not every component may get installed in the same rollout, but with the right framework that takes it step-by-step, eventually you bring the organization closer to a mature zero trust security architecture.
Before any rollouts are activated, it’s a good idea to set up a communication plan for users on what’s to come. Basic change management – signaling the value of a different approach and new technology rollouts to team members and end users goes a long way toward gaining acceptance and achieving an achievable Zero Trust design.
A security audit is another best practice to jumpstart a Zero Trust initiative and schedule what comes first on the roadmap. Is every user accessing your network strongly verified, and using a trusted authentication mechanism? If the answer is no, then you’ll know exactly where to start when you identify users that are getting in the door too easily.
- Zero Trust is only for privileged users
When your team starts to separate privileged users from other users on the whiteboard, you can be limiting the view of the risk and adding complexity to the design. Viewing the risk based on data classification is a better approach as it focuses on what is important and thus how to protect it. Under ZTA, every user should be considered a privileged user – not just the few who are in important or visible roles.
Sensitive data no longer resides on a single, on-premises server farm – often the most agile organizations store that data at many different locations, or in the cloud, where it can be accessed from many levels of the organization. All it takes is a compromising event from a single user to allow access to crown jewel data, so using the more broader definition of who qualifies as privileged is the safer route.
- Zero Trust is only for large enterprises
Not at all! As mentioned earlier, Zero Trust is a design concept rather than a set of technologies, so it can come in all sizes. Larger organizations may have some compelling urgency reasons for acting – for example, it will have many different types of users, systems and access points, compared to smaller organizations.
In fact, the same framework and design approach should be used by SMBs given the reliance that many SMBs have on cloud-app-heavy environments, a Zero Trust approach is still best practice. Cloud environments provide a number of built-in benefits of Zero Trust but that doesn’t mean you stop building out your Zero Trust Architecture. You still have to be diligent in ensuring the systems that are being used are properly configured and maintained with Zero Trust principals in mind.
- My industry doesn’t have a lot of risks – Zero Trust is only for highly regulated or high-risk industries
Yes, compliance and regulatory requirements often drive the urgency of Zero Trust projects because there’s usually a deadline involved set by a government agency. But even those companies that don’t work with the government or who don’t fall under strict regulatory oversight must consider Zero Trust best practices to protect sensitive data or intellectual property. Given how fast-evolving and volatile the threat landscape has been lately, Zero Trust makes sense as an approach to reduce risk.
- Zero Trust will become less relevant as users go back to the office
We’ve all read the stories about the return to office trend, but it’s safe to say that the hybrid model is not going away. That model, where employees move between different workstations at home, in the office or on the road, dictates that any authentication system has to be prepared to verify user identities at multiple access points. Zero Trust Architecture (ZTA) started in the days when everyone went to the office. It became even more important when the majority of workers were remote. Now to enable a hybrid workforce, ZTA continues to be a key set of principals to make a company safe and productive.
At the end of the day, a Zero Trust framework is a journey. In order to be successful, organizations need to adopt an approach to trust no individual or thing unless properly verified before being given access to a network or data.
Adopting strong phishing-resistant authentication as a core building block of a Zero Trust strategy will significantly enhance the security posture of organizations. Use of modern, phishing-resistant multi-factor authentication (MFA) tools like YubiKeys to prevent network access with stolen passwords and legacy forms of MFA is a smart place to start your Zero Trust journey.
To learn more about how a Zero Trust approach can help boost security in your own environment, read our white paper here. See how Yubico can help accelerate your Zero Trust strategy today in the video below.