Zero trust security makes sense, yet why is adoption so slow?
Despite some well-documented benefits, zero trust is yet to be widely embraced. Awareness is increasing, but it’s often not being followed up with action, writes Joanne Wong.
As a concept, zero trust has been around for a decade. With the promise of improved security and reduced management costs, on paper it sounds like an obvious choice for most law firms.
Fear of the unknown
The reason is that, for most organisations, adopting zero trust model can be a somewhat daunting challenge. The approach turns traditional perimeter security on its head and instead focuses on identifying users and the resources to which they should have access.
Also, for many early adopters, migrating to a zero trust architecture is something that took years and the allocation of significant resources. Others tried and failed, reverting to their legacy security measures.
Interestingly, those organisations that are successful in their zero trust ambitions tend to follow a similar path which begins with a focus on the data that needs to be secured. It’s important to understand where this data is stored and how it is accessed by users and applications.
A second step then involves focusing on user governance and device trust. These two items will provide you the most value, quickly, and sit at the heart of any successful zero trust architecture.
A final step is to create a comprehensive business plan that covers all the areas in which a return on investment (ROI) is expected. This should include factors like a reduction in the IT spending associated with technologies that are no longer required, such as firewalls, VPNs, and active directory.
The plan should also provide detail of the process optimisations that will be achieved. These will not only reduce the need to manage a legacy environment but also automate areas where IT spends the most time and resources.
Taking a phased approach
With a comprehensive deployment plan in place, deployment of a zero trust model is usually completed in three phases:
- Phase 1: In the initial phase, the objective is to focus on security basics. Take time to identify all sensitive data and business-critical applications that store or have access to that data. This is the time to map out data flows and update application inventories across the organisation. This work will form the basis for governance of your users, systems, and applications.
- Phase 2: The next phase involves selecting an application, such as a human resource management system (HRMS), where it’s possible to provision roles, entitlements, and access levels for all staff. It is also important to implement a single sign-on solution (SSO) and multifactor authentication (MFA) to protect critical applications.
- Phase 3: The third phase is where mobile device management capabilities are deployed. This is teamed with privileged access management to ensure sensitive data is only accessed by trusted devices.
Once these phases have been completed, attention can shift to other areas in which the zero trust model can be put to work. One is by making use of a cloud access security broker (CASB) to protect sensitive data stored in cloud services and advanced user and entity behaviour analytics (UEBA) capabilities that can detect and respond to anomalous user behaviours.
Zero trust should not be thought of as a security “silver bullet” that will solve all challenges within an organisation. However, if properly designed and deployed, a zero trust strategy can provide robust levels of protection for users, data and applications. Even if one user or data store is compromised, it prevents an attacker from gaining access to other areas.
By taking a phased approach to zero trust, law firms will be able to enjoy the benefits it has to offer in a timely manner. As the approach becomes more widely understood, slow rates of uptake will become a thing of the past.
Joanne Wong is the vice-president of international marketing at LogRhythm.