04/14/2021 | News release | Archived content
The simplicity of the zero-trust concept belies the complexity of implementing it in most large organizations. Here are four factors to consider before you begin the journey.
Zero trust, a cybersecurity concept first introduced by Forrester in 2010, is emerging as the answer du jour for a wide range of challenges facing today's digital enterprise. It accommodates the perimeter-busting work-from-home trend necessitated by the COVID-19 pandemic. It addresses the fundamental issues raised by the SolarWinds breach. And it complements the cloud-based infrastructure, platforms and applications that are fundamental to digital transformation.
Prior to COVID-19, you could say the world was trundling toward a zero-trust future at a speed of about 10 mph. In the post-COVID era, we find ourselves barreling toward zero trust at a pace that feels more like 90 mph.
The premise of zero trust is relatively straightforward. According to the U.S. National Institute of Standards and Technology (NIST), zero trust is 'a cybersecurity strategy that focuses on moving network defenses from wide, static network perimeters to focusing more narrowly on dynamic and risk-based access control to enterprise resources, regardless of where they are located.'
While we at Tenable agree that the realities of today's work environment have rendered the notion of a perimeter obsolete, we also believe the simplicity of the zero-trust concept belies the complexity of implementing it in most large organizations. The Zero Trust Progress Report, released in February 2020 by Cybersecurity Insiders and Ivanti (formerly Pulse Secure), surveyed 400 cybersecurity professionals and found 47% lack confidence applying a zero-trust model to their organization's security architecture.
In its August 2020 report, Implementing a Zero Trust Architecture, NIST debunks the 'misconception that zero trust architecture is a single framework with a set of solutions that are incompatible with the existing view of cybersecurity.' Instead, the agency advises that zero trust should be viewed as 'an evolution of current cybersecurity strategies.' The report further articulates three key challenges:
Describing the implementation of zero-trust architecture as a 'journey,' rather than a wholesale replacement of infrastructure or processes, NIST predicts that 'most enterprises will continue to operate in a hybrid zero-trust/perimeter-based mode for an indefinite period while continuing to invest in ongoing IT modernization initiatives.'
No matter where you are on your zero-trust journey, we believe the four functional components of NIST's zero-trust model also serve as the building blocks of a sound cybersecurity strategy:
Each of the above components requires:
We at Tenable believe zero trust is a model that every enterprise should strive toward. That's why we have always advocated that every single endpoint and device in the environment should be assessed for security, misconfigurations and missing updates. At the same time, we recognize the very real challenges involved in implementing these principles and advise organizations to invest in the cybersecurity fundamentals before embarking on a zero-trust journey.