Watch Out for These Four Zero Trust Networking Pitfalls
Enterprise Management Associates (EMA) has identified the top challenges that enterprises encounter when they try to build a Zero Trust network architecture.
These findings were recently published in the EMA research report, Enterprise Zero Trust Network Strategies, based on a survey of 252 networking and security experts about their use of secure remote access solutions and network segmentation technologies to create a Zero Trust network.
IT professionals told us that budget shortfalls, project complexity, skills gaps, and internecine conflicts between networking and security are their four leading challenges when implementing a Zero Trust network.
What is Zero Trust?
Zero Trust was coined by a competing analyst firm a decade ago, but it became a mainstream priority for IT and security professionals only in the last couple of years. Definitions vary depending on the vendor you talk to, but simply put, Zero Trust is the idea that every network connection request and every network session should be authenticated before authorization is granted, regardless of whether those communications are taking place inside our outside a corporate networks security perimeter.
Many Zero Trust champions also say that Zero Trust controls should be able to challenge users and connected devices to re-authenticate at any time, depending on observed behavior and dynamic policy engines.
Enterprises vary in how deep they go with Zero Trust. They might start with secure remote access, applying Zero Trust principles to users who need to reach corporate applications and data. Others will go further, segmenting the internal network with varying levels of granularity, ultimately getting to the point where every individual workload in a data center or cloud is in its own security domain.
My research practice focuses on network engineering and operations, not necessarily security. With this Zero Trust research, my goal was to understand how enterprises use network technology to create a Zero Trust architecture. The rest of this piece looks at the pitfalls that enterprises encounter when tackling such projects.
Lack of Budget
Thirty-two percent of survey respondents told us that budget was one of their biggest Zero Trust pitfalls. Everyone always bellyaches about budget, but we observed some subtleties here. Most of these enterprises had a formal Zero Trust initiative that was sponsored by IT leadership.. Among those initiatives, some carved out Zero Trust funds from their existing budget while others added a new Zero Trust line item to the IT budget.
Pardon the pun, but Zero Trust budgeting shouldn’t be a zero-sum game. Don’t cut budget elsewhere to enable Zero Trust. This can lead to an overemphasis on frugality, and it can undermine other projects in networking and security, from which the majority of Zero Trust budget funds are coming from. Zero Trust can require significant investment. For instance, most of the enterprises in our survey are retiring their legacy secure remote access solutions as part of their Zero Trust projects. They are investing in new technologies like Secure Access Service Edge and Software-Defined Perimeters. These technologies are broader in scope and deeper in capabilities than a simple remote VPN solution, so there will be a premium cost.
Moreover, EMA found that enterprises which allocated new budgets for Zero Trust were the least likely to see their initiatives delayed or derailed by the COVID-19 pandemic. Instead, they were able to accelerate their Zero Trust projects to enable business continuity.
Project Complexity
Enterprises should start small with Zero Trust. Don’t rearchitect everything at once. Project complexity is a major issue for 31% of Zero Trust projects. EMA’s research found indications that enterprises are trying to apply Zero Trust principles everywhere, from the legacy data center to IaaS and PaaS environments. SaaS applications are a major priority, too.
It doesn’t stop there. We found a lot of activity around Zero Trust segmentation of corporate networks, particularly to support the Internet of Things (IoT). And now enterprises are scaling out secure remote access to support a significant increase in employees who are working from home.
With secure remote access solutions, EMA found that the majority of enterprises have two or more discrete solutions for managing access to public clouds, private clouds, and legacy data centers. On top of that, we found that the typical enterprise is using more than two Zero Trust network segmentation technologies.
If an enterprise really must adopt a handful of different solutions for these initiatives, EMA urges that they integrate wherever possible and find ways to orchestrate the administration and management of these solutions to reduce complexity and mitigate risk. Also, think about the client side, too. End users shouldn’t have to toggle through two or three solutions to get access to different applications.
Skills Gaps
A lack of personnel with relevant skills is a major challenge for 31% of these enterprises. This one seems pretty straightforward. Zero Trust leads to the adoption of several new technologies. IT organizations will require training before they can manage them.
But the skills gap goes beyond technology expertise. Zero Trust is an architectural transformation for many organizations, and that requires more than a vendor training session on your chosen product. Architects and engineers need to understand Zero Trust principles and apply that knowledge as they establish a strategy and evaluate vendors.
EMA also found that a lack of cross-team skills gaps is a major speedbump when the network infrastructure team and the security team collaborate on Zero Trust implementation, which leads us to the fourth pitfall.
Conflicts Between Networking and Security Teams
Network teams and security teams don’t trust each other. EMA’s research has found this to be an issue time and again over the years. And Zero Trust is simply the latest battleground where they will clash. Twenty-nine percent of enterprises told EMA that a conflict between these groups is a major problem for their Zero Trust efforts.
Network engineers want to provide access to applications and services. Security architects want to lock down those assets . There needs to be a middle ground, and it’s there to be found.
In EMA’s research, we found that the most successful enterprises formed a Zero Trust taskforce. They pulled experts from both the network and security teams to form these taskforces. Now, instead of being on separate sides of the conference table, these people were on a unified team with a shared mission and the same downward pressure coming from IT management to get things done.
Smoothing out the conflict doesn’t stop there. IT management needs set the budget agenda so people don’t squabble over who pays for what. They need to set up tools and processes for collaboration. And they need to push against technology biases that people from different silos might bring to the project.
Learn More!
There is a lot more data and analysis of Zero Trust networking strategies in this research. To learn more about this research. For instance, you can check out my latest column in Network World, which covers how the COVID-19 pandemic had affected Zero Trust strategies.
Also, you can attend my upcoming webinar, which will highlight key findings from the research. That webinar takes place on Nov. 3, but that link will point to a recording after that.
Or you can download the full report (sorry, there’s a paywall).
FREE STUFF: Some of the sponsors of this independent research have licensed the distribution rights to an abridged version of the report, which you can find here (Pulse Secure) and here (Ordr) for free.