What should organizations consider when deploying a zero trust architecture?
Zero Trust represents a significant shift in network and security architectures to implement the necessary policies and enforcement across the organization. In general, a Zero Trust mindset assumes that every network device and user is potentially compromised or poses a potential threat, and in general, only explicitly authorized users, devices, communications, and traffic should be permitted. While this will serve to slow or block the spread of malware, unauthorized access, and a wide variety of cyber threats, implementing such a design requires fundamental infrastructure and policy changes that could prove costly and most likely disruptive to existing operations and applications.
And while Zero Trust is making big inroads into IT organizations for a wide variety of use cases and specific security environments, the unique requirements of OT and IoT, combined with industrial processes and technology. critical infrastructure, can hamper ZTA deployments with general-purpose Zero Trust solutions. . Many OT and IoT devices are not easily positioned in a ZTA with microsegmentation (a common Zero Trust goal). Where Zero Trust is adopted in today’s OT networks, it is often limited to secure remote access scenarios, replacing increasingly suspect VPN access solutions, but not across the entire internal network among all electronics.
In general, organizations should assume that Zero Trust isn’t a turnkey solution, it’s a mindset shift. This will likely require significant upgrades or policy and application changes across the entire infrastructure. The many definitions and usage scenarios should lead organizations to prioritize how and why an ZTA should be deployed, based on current access and application requirements, and not look to specific guidelines or mandates, such as the above memo from the US government. By the way, this memo calls for HTTP and DNS traffic encryption to be implemented by 2024, but not other services like email. These specific details may be completely irrelevant to other industries and organizations with other application security needs.