It seems like everyone is singing the praises of Zero Trust security — even United States President Joe Biden. Last year, the president signed an executive order aimed at migrating the federal government to a Zero Trust Architecture (ZTA).
Biden said the government was adopting ZTA to “modernize its approach to cybersecurity and today’s dynamic and increasingly sophisticated cyber threat environment.” The Office of the President went on to say the cybersecurity framework would enable departments to “tighten access controls.”
If you’ve worked in the IT industry long enough, you probably know one thing to be true when it comes to project management: expect the unexpected. Anomalies are inevitable and, unfortunately, reality doesn’t always meet ideals.
Despite the publicity, only 23% of small and medium-sized enterprises (SMEs) have fully adopted Zero Trust security programs to date. SMEs often cite budgetary constraints, labor shortages, integration difficulties, and lack of knowledge as reasons for not adopting Zero Trust (ZT).
At JumpCloud, the most common misconception we come across is that ZT must involve several moving pieces at once. In this article, we’ll discuss the most common Zero Trust challenges that stop IT managers in their tracks and how to overcome them. Let’s get started:
When Reality Fails to Meet Expectations with Zero Trust
The concept of “Zero Trust” is deceptively simple. It means that any devices, users, and applications attempting to access an IT resource of any kind must first receive validation. The mantra “trust nothing, verify everything” is ubiquitous with the security framework.
So instead of granting implicit trust upon the initial entry to a protected network, organizations evaluate an opinion of trustworthiness based on context at every access transaction. Automated security systems answer questions like:
Is this a recognized user identity, location, and device? Can the user verify their identity in more than one way? Does this user really need access to these specific files, applications, and endpoints to do their job?
Questions like these are answered via policy checks as end users seek network access. Though simple in philosophy, transitioning from a traditional, on-prem security program to a comprehensive ZT model doesn’t happen overnight.
In fact, Forrester found the process takes an average of 2 to 3 years from start to finish. With that said, a little strategic planning can make for a much smoother ride. Below are the six most common roadblocks we see customers encounter while switching to Zero Trust:
1. Leaving Legacy Technology Behind
While it’s easy to implement ZTA for a startup, more established organizations must deal with the existing infrastructures they already have in place. And most of them are severely outdated!
Admins must take precautions when modifying existing infrastructures with new ZTA tools. Those who rush the process have been known to slow down or even break crucial systems. In addition, completely overhauling a legacy system is expensive if it has yet to deliver ROI.
We recommend developing a roadmap to gradually launch Zero Trust security elements over time. This way, you can leverage your existing infrastructure to optimize costs. And, you will significantly reduce the likelihood of experiencing major “oopsies.”
2. Limited Resources
Like any significant departmental endeavor, Zero Trust campaigns require resources in terms of labor, time, and finances. One often overlooked expense is the configuration and continued maintenance of unfamiliar elements.
Does someone on your team know how to set up authentication protocols like LDAP/RADIUS, create user policies, and apply network microsegmentation? Better yet, does anyone in-house have the extra time to roll up their sleeves and become your organization’s ZT champion?
If not, plan to outsource technical professional services to bridge the gap. In addition, budget for continued infrastructure management and support. Running into unfamiliar territory after launching ZTA is one of the primary reasons organizations fail to achieve long-term results.
Though the initial costs of outsourcing may seem prohibitive, don’t underestimate the long-term ROI. Bringing on world-class engineers to handle this specific area allows team members to focus on essential tasks. If finances are a concern, prioritize the lowest-cost initiatives that will also have the largest impact on IT security while the organization saves up.
For example, configuring multi-factor authentication (MFA), requiring more complex passwords, and setting up mobile device management are some simple ZT strategies nearly any organization can make happen.
3. Unexpected Licensing Costs
One advantage of cloud computing, that should be of particular interest to IT folks, is its inherent system agnosticism. Because SaaS applications run on browsers, admins seldom have to worry about operating system compatibility issues. Take the JumpCloud directory for instance — the platform’s cloud architecture supports identity and access management for Windows, Linux, and macOS on multiple devices.
Unfortunately, one common afterthought are the licensing fees organizations must pay to scale such services. Typically, freemium service levels don’t provide enough support, functionality, and features needed to be complete solutions.
Though affordable compared to legacy system prices, the scaling costs are still burdensome for managers with limited spending power. One prudent solution is to limit licensing per the principle of least privilege (PLP). This way, IT management can both a) enhance cybersecurity as part of Zero Trust and b) reduce spending.
4. Lackluster User Adoption
Lackluster user adoption sinks Zero Trust programs faster than a highly dense object thrown into a large body of water! According to McKinsey, 70% of change initiatives in organizations fail due to employee resistance.
Common causes of poor user adoption for Zero Trust include:
- Misconceptions about Zero Trust
- Unclear communication
- Lack of familiarity with Zero Trust architecture
- Ineffective and inefficient training
Form a task force to identify potential bottlenecks that might cause employees to cut corners or not be able to follow instructions. In addition, incorporate training sessions into the onboarding process to ensure everyone knows how to manage specific tools.
5. Lack of Leadership Support
Another significant impediment to smooth sailing is leadership who doesn’t understand the significance of setting up ZTA.
Smooth adoption and long-term success depend on senior management “buy in.” And that is contingent on how well IT admins can connect the dots between the following points:
- What does Zero Trust mean? No, like, actually.
- What technologies, tools, and resources do we need?
- Where are the vulnerabilities in our existing infrastructure?
- What is the average cost of a data breach?
- How much could stolen data potentially cost us?
- How common are data breaches?
Remember: leadership doesn’t need to understand the nitty-gritty of the technology behind Zero Trust. However, they must grasp the severity of failing to secure organizational networks in a world of increasingly sophisticated hackers. This is where a comprehensive proposal can work its magic.
6. Tool Incompatibilities
Finally, some organizations rush into purchasing ZTA solutions, only to realize they are incompatible with existing infrastructures. Legacy technology systems don’t always jive with Zero Trust-based solutions and are unable to meet Zero Trust requirements.
Sometimes, you can easily solve this challenge by upgrading your infrastructure. You don’t have to throw everything out. Consider partnering with a vendor flexible enough to customize their solutions to your exact requirements.
Alternatively, you may switch to using tools that match the existing infrastructure. For example, the JumpCloud Directory offers a convenient consolidation platform for managing Zero Trust policies across Mac, Windows, and Linux devices.
Watch this tutorial on how to implement Zero Trust on different devices using JumpCloud.
Streamline Zero Trust with JumpCloud
Based on recently publicized initiatives, and the popularity of remote work, expect the public discourse around Zero Trust security to continue.
However, as discussed in this article, unanticipated roadblocks often result in a mismatch between original intentions and long-term realities. It’s essential to remember that Zero Trust doesn’t represent any singular technology; it’s a multi-faceted framework involving cybersecurity best practices, identity and access management tools, end-user policy customization, and more.
Develop a solid action plan with the support of industry experts to ensure your team approaches implementation in the safest, most effective, and most affordable manner.
Want a deeper look inside how top organizations are tackling Zero Trust?