Zero trust has been one of the favorite buzzwords in cybersecurity recently. A Google search with this keyword returns over half a billion results, and there are new articles about it every week or so. A 2022 survey by the Cloud Security Alliance says that 8 in 10 IT and cybersecurity professionals regard zero trust as a priority.
Eliminating all presumptions of trustworthiness is the trend nowadays, and many suggest that zero trust should be the norm moving forward. Notably, the United States federal government, through the NIST, already implements zero trust security with the issuance of the Zero Trust Architecture general guidance document.
Adopting a security policy of zero trust is easier said than done, though. There are many challenges in making it a reality. No organization with already existing cybersecurity systems can adopt zero trust on the fly.
Continued use of legacy devices and systems
One of the biggest challenges in implementing zero trust security is the continued use of legacy devices, systems, and infrastructure. Many banks, for example, still use Cobol-written systems. Even the now-unsupported Windows XP is still used by a number of businesses. Many businesses, especially those involved in mass manufacturing, use devices or workstations that do not support modern zero-trust-related controls such as multi-factor authentication.
From a security standpoint, the use of too old or obsolete systems should already be discontinued. However, not everyone can afford to completely replace their old devices and software. Businesses are unwilling to replace systems that are still working, especially if the costs entail a major expenditure.
However, it is not impossible to bring legacy systems under a zero trust security policy. Even without overhauling systems, there are solutions that can enable zero trust implementation with disparate technologies, including legacy systems, that have inherent security weaknesses. These solutions provide a consolidated security architecture that ensures full security visibility for all IT assets and efficient ways to manage security and deal with threats in real time.
Complexity and employee resistance
Modern cybersecurity can really be complex mainly because of the current cyber threat landscape. The threats organizations face today are not as simple as viruses spread through floppy disks and CDs. Almost all organizations at present already use the internet through multiple workstations. Many also use a host of connected gadgets or IoT devices, which significantly expand attack surfaces. Additionally, the use of cloud solutions continues to grow.
All of these necessitate a cybersecurity system that can be quite complex for organizations that are new to modern security solutions. New processes will be added to existing IT use procedures, especially when it comes to requesting and granting access/use permissions under a zero-trust setup. This complexity can be quite difficult for many to grasp. It can also lead to resistance among employees and even those in upper management.
Adopting new ways of doing things requires training and possibly the acquisition of new software. Employees who have been accustomed to old procedures may not be keen on any of these, which can also affect their productivity and overall business operations.
However, refusing to change to integrate better security systems is not an option. That’s why it is important for managers to properly introduce the new system and present the benefits and long-term advantages. Also, if applicable, it is advisable to choose a suitable cybersecurity consolidation platform—one that is not only reliable but also intuitive or easy to use.
Integration challenges are not only a problem with legacy systems. There are many devices, apps, cloud accounts, and other IT assets that may not be compatible with zero trust security. This is particularly true when it comes to industrial control systems.
Industrial control systems tend to be unsuitable for zero trust policies because of the nature of their operation. They are designed to continuously communicate with various components to operate efficiently. It is difficult to introduce zero trust policies in power plants or transportation systems not only because of the massive changes it would entail but also because of the required pauses in automated processes to authenticate or verify instructions.
Authentication is usually necessary because many of the components in industrial operations tend to be part of a legacy system or are inherently unsuitable for modern security controls. The usual automation is only possible if trust is established in certain communications or instruction transmissions. Also, industrial control systems usually have to be highly available or continuously operating. As such, they may not work as intended if there is latency created because of the authentication or verification needed under a zero trust system.
Moreover, many IoT devices are inherently not designed for zero trust. They have limited processing power and not enough memory to have full-fledged security systems capable of zero trust functions.
Still, as mentioned earlier, there are ways to address this challenge. Heterogeneous low-resource and old devices can be brought together to operate under zero trust security with modern solutions. There are IoT observability and security platforms that can consolidate various IT assets to ensure that they are used securely.
Lack of support from the top
Lastly, zero trust security can be very difficult if the owners of a company or the top-level managers are resistant to it. Changing security policies is not cheap. Organizations may need to replace a significant part of their entire IT infrastructure to be in line with the concept of zero trust security. Add to this the need to provide adequate training to get everyone on board with the new security system. It is even possible that employees would resist the change. Ultimately, the changes can affect operations, albeit temporarily. These are factors that don’t bode well with management decisions when it comes to cybersecurity, especially for organizations that are struggling with their bottom line.
It is also not a rarity that those in the top-level administration are not fond of the inconvenience of repetitive user identity authorization and permission requests. They are the bosses of the company, so many would likely think that not providing them the trust they used to get is rather counterintuitive.
Implementing a new cybersecurity policy for an organization is not a bottom-up endeavor. It has to start from the top, as informed by experts. Resistance coming from top-level management is a crippling challenge.
It would be inexpedient to disregard the benefits of zero trust security because of the aforementioned challenges. The advantages certainly outweigh the drawbacks and temporary inconveniences. There will be pain points in moving towards comprehensive zero trust security adoption, but the payoff will be way more than the temporary difficulties.