Blog
Mar 29, 2023
9 min read

How to Overcome 5 Common Obstacles to Implementing Zero Trust

After years in the conceptual ether, zero trust is finally beginning to distill into a practical framework that can be realistically implemented.

Zero trust secures connectivity by eliminating transitive trust. Based on the premise “never trust, always verify,” access is granted only after verification of a user’s identity – ideally using a strong authentication method such as multi-factor authentication (MFA). In the zero-trust model, devices, users, and identities are continuously authenticated before receiving access to resources, systems, or assets. For added security, access is never given to the full corporate network but only to what the user needs according to the principle of least privilege.

Still, successfully implementing zero trust is not without its challenges. As you embark on your own zero-trust journey, be sure to account for these five common obstacles during your strategy planning.

Obstacle 1: Complex Policies

A primary challenge related to the adoption of zero trust is the very fact that it requires organizations to rethink their entire security approach. For businesses currently using traditional perimeter-based security models, adopting the zero-trust model can require significant, and potentially complex, changes to processes and workflows.

Zero-trust access should deliver users directly to the apps and resources they need to work. This improves security and lowers risk, but it requires that organizations map the correct application permissions at the onset of their zero-trust journey to reap the benefits. Understanding user workflows and categorizing users by their access needs is a daunting task, and at scale — e.g., with 10,000 users— it can become quite complicated.

Within your user base, there are a million reasons why a team member may need access to a particular set of resources for a finite amount of time or may need upgrading or downgrading to a new permission set. Critics of zero trust warn that staying on top of these access needs is an impossible task. Fortunately, it doesn’t have to be.

How Cyolo Overcomes this Obstacle

As you progress with your zero-trust initiative, your tool of choice should provide the granularity of control necessary to secure your network without compromising productivity. 

Cyolo PRO is an advanced secure remote access (SRA) solution that is founded on the principles of zero trust. Cyolo PRO offers extended granularity, which enables organizations to complete the mapping process effectively, efficiently, and in ways that align with the least privilege access model. Cyolo PRO can be used to create context and identity-based access boundaries between a user and device to an application, and user-to-application segmentation allows simplified policy management, too.

While this doesn’t cut out the upfront work of categorizing and mapping access onto users, it makes it much easier to maintain control and enforce least privilege access once it’s set up.

Obstacle 2: Weak Identity Management

Even with users categorized by their access needs, organizations often need to grant more flexible access to their network. The security challenge is that this entails extending controls beyond the network perimeter. However, if an organization relies on a single identity verification source or has no federated identity system in the cloud, they may find it hard to implement zero-trust access.

For example, most cloud based Identity Providers (IdPs) require the application to support Security Assertion Markup Language (SAML) or OpenID Connect (OIDC)  protocols. This usually works for most modern applications and for internal employees. However, when an application does not communicate in those languages, or when a third-party contractor or vendor needs access, the workflow grinds to a halt. These situations leave enormous gaps in the identity management space.

Many organizations also struggle to implement effective MFA capabilities to their identity management protocols. MFA solutions significantly reduce risks associated with identity verification by requiring a user to provide more than one form of authentication. Users can be authenticated in three different ways:

  1. By something they know, like passwords.

  2. By something they have, like smart phones or security tokens.

  3. By something they are, like biometric data or geolocation.

Organizations that fail to enable MFA for identity management, especially for remote services, will find it nearly impossible to adhere to zero-trust principles.

How Cyolo Overcomes this Obstacle

Cyolo PRO has an identity provider built-in, so there is no need to have a separate IdP. However, for organizations already using another IdP, Cyolo PRO offers an easy integration. An additional advantage is that Cyolo PRO provides verification for all applications, including legacy and homegrown applications. Whereas some IdPs only support web-based protocols, Cyolo PRO can extend support, including modern identity authentication, to all applications and systems. Additionally, the Cyolo IdP can quickly and securely enroll a third party for Just-in-Time (JIT) access to an application, nullifying the serious risks associated with third-party access. Cyolo PRO also offers application credential sharing with the user through a secure vault inside the customer's trust boundary. 

Obstacle 3: No Support for On-Premise Users and Systems

Many organizations believe that on-premises users are inherently secure, but in the modern cybercrime landscape this is unfortunately far from true. In most cases today, on-premises users are only validated once, after which they can roam around inside the corporate network without being monitored or re-authenticated. Should a bad actor manage to steal the login credentials of an on-premises user or enter in another way, they would potentially have free rein to move laterally and wreak havoc from within. 

To solve this problem, some zero-trust vendors route on-premises traffic to a cloud trust broker, which decrypts, re-encrypts, and sends back the data. This ‘tromboning’ can add latency to user workflows and impose a drag on their productivity. Moreover, the cloud trust broker can become an ideal target for an attacker and, ultimately, a single point of failure.

While the world has embraced the cloud, the need for on-premise security isn’t going anywhere. Cloud-based trust brokers may not work optimally when extending remote policies to on-premise users, resulting in user frustration and reduced productivity.

How Cyolo Overcomes this Obstacle

Cyolo PRO offers the flexibility of being able to deploy on-cloud, on-premises, or in a hybrid environment. Mandated return to office is happening in many industries, and workers will expect to continue using the same workflows they’ve grown accustomed to at home. The ideal secure remote access solution will be able to keep up with users’ needs without introducing friction, no matter where their work takes them (including the good old corporate office!). Cyolo PRO provides the same speed and access to on-prem users as those connected remotely.

Beyond improving convenience for users and increasing productivity by removing latency, Cyolo PRO’s ability to run fully on-premises also makes it an ideal secure access solution for operational technology (OT) environments that may be air-gapped or entirely offline. Many SRA solutions, such as VPNs, are designed exclusively for cloud use and cannot function in offline OT environments, leaving them vulnerable to cyberthreats.

Obstacle 4: Securing Legacy Systems

Every organization uses at least one business-critical legacy system or application that cannot be replaced, modernized, or even paused long enough for a patch or upgrade. While many security vendors will simply leave legacy tools out of their equation, real zero trust means zero exceptions. Extending fundamental security controls to legacy systems is a challenge that secure remote access solutions and strategies can’t ignore. They must position themselves in front of tough-to-secure applications to ensure that only verified and continuously authenticated users can connect to the business’ most critical components.

Legacy systems can also pose network access risks through limited protocol support, sometimes only accessible through deprecated services like Telnet. A complete SRA solution must be able to adapt to the rigid requirements of legacy systems without sacrificing security.

How Cyolo Overcomes this Obstacle

Cyolo PRO was purpose-built to secure all systems, including legacy and even homegrown applications. With Cyolo PRO, organizations can retrofit legacy systems to support modern identity authentication protocols to enforce MFA and deliver single sign-on (SSO). This newly upgraded identity infrastructure then integrates with the Cyolo Identity Access Controller (IDAC) and allows users to connect to all resources and applications – but only after a successful authentication. In this way, users are able to access a mainframe or other legacy system with the same level of identity verification and security they have when accessing their favorite SaaS application.

Obstacle 5: Marketing Confusion and a Lack of Understanding

Much like “digital transformation,” the term “zero trust” at some point morphed into a buzzword that many people talk about without fully grasping its true meaning or scope. Even as zero trust makes its way from marketing fluff into real-world implementations, a lack of understanding or ability to benchmark progress may discourage organizations from adopting the zero-trust model.

Unfortunately, the current vendor landscape doesn’t help. Many services, vendors, and tools that pre-date zero trust are taking advantage of the marketing hype by claiming zero-trust capabilities that they often can’t deliver. This inevitably leads to inappropriate tool selection and shaky implementations. 

How Cyolo Overcomes this Obstacle

Cyolo PRO is built on a distinctive infrastructure that supports true zero-trust security. The solution sits between the network and the application layers and provides least privileged access to valid users without granting network access. Only Cyolo PRO ensures that all customer assets remain with the customer's trusted boundaries, preventing either accidental or malicious exposure via a vendor breach. 

Finally, there are no mixed messages delivered to buyers by trying to position the company as something it is not. Founded by a former CISO and two ethical hackers, Cyolo sought from the outset to create a unified platform that enables users to access all applications, servers, desktops and files, securely and with ease – and this remains our mission today.

Conclusion

Many organizations struggle to implement zero-trust security because they lack needed tools, existing tools are insufficient, or because circumstances like legacy dependencies expose too much risk. 

Cyolo delivers an unrivaled secure remote access solution that empowers organizations of all sizes and complexity to adhere to the zero-trust framework. By shattering the traditional network perimeter and securing today's identity perimeter, companies can blaze a new trail through the digital landscape.

Jennifer Tullman-Botzer

Author

Jennifer Tullman-Botzer is a cybersecurity nerd by day and a history nerd by night. She has over a decade of experience in cybersecurity marketing and is as tired as you are of hackers-in-hoodies stock images. Jennifer joined Cyolo in 2021 and currently serves as Head of Content. Prior to Cyolo, she worked in a variety of marketing roles at IBM Security. She lives in Tel Aviv, Israel.

Subscribe to Our Newsletter