Zero Trust Messaging Needs a Reboot

Written by Daniel Ballmer, Senior Transformation Analyst, CXO REvolutionaries, Zscaler.

It’s 2024, and Zero Trust adoption across industries remains somewhere below 33%. For reference, de-perimeterization, a stepping-stone to Zero Trust, was first discussed on the Jericho Forums twenty years ago. By 2010, the term Zero Trust was a staple of cybersecurity conversations. Now, public and private organizations have widely embraced the idea of Zero Trust. National governments, often several years behind the latest technology trends, are openly advocating for Zero Trust security to become the standard.

Yet today, less than a third of organizations have taken the first step on their Zero Trust journey. Why is that? Why are we decades beyond the initial foundations of Zero Trust and not even a third of the way to our goal? Why is Zero Trust still sluggishly plodding along while more recent innovations like generative AI are achieving adoption rates of 95%? It seems like everyone agrees that Zero Trust is the path forward.

Common objections

With so much positive sentiment behind Zero Trust there must be some reason organizations are dragging their feet. Businesses not yet using Zero Trust offer a few common explanations:

• The widespread adoption of software-as-a-service (SaaS), work-from-home policies, and users working on unmanaged devices puts traditional control points beyond the business perimeter. Organizations don’t see a way to enforce Zero Trust principles on infrastructure they regularly use but do not control.

• Zero Trust limits business-led (aka shadow) IT, where users adopt necessary applications or services ad hoc, without going through official channels. Organizations fear that preventing this organic form of technical growth would impact their business agility.

• Digital supply chains are long and involve many parties. Enforcing Zero Trust policies at the organizational level does not address all the vulnerabilities or security issues that occur earlier in the supply chain.

• Zero Trust uses a holistic approach to cybersecurity. Many organizations have siloed security responsibilities where various departments secure themselves. Leadership may deem it too difficult to integrate these silos or convince them to collectively agree to a Zero Trust approach.

• Discovering who needs access to what and adjusting the corresponding permissions and settings seems unmanageable. This can be especially daunting for organizations where app, network, device, and user security are handled by different teams. Coordinating these teams to determine what least privilege access should look like per-user and, per-resource, may seem overwhelming.

Many of these issues can be resolved by reframing the way people think about cybersecurity. Yes, trying to extend Zero Trust across a traditional network (with a defined perimeter) and include everything it touches is not feasible. Employees’ personal devices, third-party vendor networks, and the entire internet are beyond the reach of the enterprise security team. But this thinking views Zero Trust as an endpoint technology to be rolled out across the enterprise.

Instead, envision Zero Trust as a metal detector everything must pass through before gaining access to organizational resources. The goal is not obsessive control over everything that could interact with the organization. The aim is simply to identify and evaluate the trustworthiness of anything seeking access to business resources right now. This model is achievable by using a Zero Trust cloud security platform to create a checkpoint between business resources and everything else.

Cloud security platforms can route all incoming, outgoing, and internal traffic through a number of Zero Trust technologies. They can send internet-bound traffic through a secure web gateway (SWG) where Zero Trust principles and other security measures are enforced. They can act as cloud access security brokers (CASB) by applying Zero Trust principles to communications between enterprises and cloud destinations. For outside users needing access to internal applications, cloud security platforms can offer Zero Trust network access (ZTNA) solutions. Much of the complexity hindering Zero Trust adoption is solved by letting a cloud security platform do the heavy lifting.

Focus on Fast Wins

Cybersecurity evangelists have lost too many years praising Zero Trust as a concept and spent too few explaining how to make it a reality. Cloud platforms enable better productivity, scalability, mobility, and security. This means Zero Trust conversations can and should highlight business benefits beyond improving security. Zero Trust is a security framework, but it enables businesses in ways that can be measured by increased productivity, infrastructure savings, and risk reduction.

Organizations know that Zero Trust and generative AI are vital for their future. The difference is adopting Zero Trust seems difficult and expensive, while using ChatGPT is quick and easy. If you’re driving a Zero Trust initiative, try focusing on simple steps that will bring the organization immediate benefits. Getting leadership onboard is easier once executives understand that investing in Zero Trust buys much more than better security.

About the Author

Daniel Ballmer is a Senior Transformation Analyst for the CXO REvolutionaries at Zscaler. He’s held writing, research, and cybersecurity positions while working with several organizations in the IT security industry, including Microsoft, Cylance, BlackBerry, and ShiftLeft.