After years in the conceptual ether, zero trust is finally beginning to distill into a practical framework that can be realistically implemented.
Zero trust secures connectivity by eliminating transitive trust. Based on the premise “never trust, always verify,” access is granted only after verification of a user’s identity – ideally using a strong authentication method such as multi-factor authentication (MFA). In the zero-trust model, devices, users, and identities are continuously authenticated before receiving access to resources, systems, or assets. For added security, access is never given to the full corporate network but only to what the user needs according to the principle of least privilege.
Still, successfully implementing zero trust is not without its challenges. As you embark on your own zero-trust journey, be sure to account for these five common obstacles during your strategy planning.
Obstacle 1: Complex Policies
A primary challenge related to the adoption of zero trust is the very fact that it requires organizations to rethink their entire security approach. For businesses currently using traditional perimeter-based security models, adopting zero trust will require significant, and potentially complex, changes to processes and workflows.
Zero-trust access should deliver users directly to the apps and resources they need to work. This improves security and lowers risk, but it requires that organizations map the correct application permissions at the onset of their zero-trust journey to reap the benefits. Understanding user workflows and categorizing users by their access needs is a daunting task, and at scale — e.g., with 10,000 users— it can become quite complicated.
Within your user base, there are a million reasons why a team member may need access to a particular set of resources for a finite amount of time or may need upgrading or downgrading to a new permission set. Critics of zero trust warn that staying on top of these access needs is an impossible task. Fortunately, it doesn’t have to be.
How Cyolo Overcomes this Obstacle
As you seek the right management platform for your zero-trust initiative, your tool of choice should provide the granularity of control necessary to secure your network without compromising productivity.
Cyolo offers extended granularity, which enables organizations to complete the mapping process effectively, efficiently, and in ways that align with the least privilege access model. Cyolo can be used to create context and identity-based access boundaries between a user and device to an application, and user-to-application segmentation allows simplified policy management, too.
While this doesn’t cut out the upfront work of categorizing and mapping access onto users, it makes it much easier to maintain control and enforce least privilege once it’s set up.
Obstacle 2: Weak Identity Management
Even with users categorized by their access needs, organizations often need to grant more flexible access to their network. The security challenge is that this entails extending controls beyond the network perimeter. However, if an organization relies on a single identity verification source or has no federated identity system in the cloud, they may find it hard to implement Zero Trust Network Access (ZTNA).
For example, most cloud based Identity Providers (IdPs) require the application to support Security Assertion Markup Language (SAML) or OpenID Connect (OIDC) protocols. This usually works for most modern applications and for internal employees. However, when an application does not communicate in those languages, or when a third-party contractor or vendor needs access, the workflow grinds to a halt. These situations leave enormous gaps in the identity management space.
Many organizations also struggle to implement effective MFA capabilities to their identity management protocols. MFA solutions significantly reduce risks associated with identity verification by requiring a user to provide more than one form of authentication. Users can be authenticated in three different ways:
By something they know, like passwords.
By something they have, like smart phones or security tokens.
By something they are, like biometric data or geolocation.
Organizations that fail to enable MFA for identity management, especially for remote services, will find it nearly impossible to implement an effective ZTNA architecture.
How Cyolo Overcomes this Obstacle
Cyolo has an identity provider built-in, so there is no need to have a separate IdP. However, for organizations already using an IdP, for instance Okta, Cyolo offers an easy integration. An additional advantage of Cyolo is that it provides verification for all applications, including legacy and homegrown applications. Whereas some IdPs only support web-based protocols, Cyolo can extend support, including modern identity authentication, to all applications and systems. Additionally, the Cyolo IdP can quickly and securely enroll a third party for Just-in-Time (JIT) access to an application, nullifying the serious risks associated with third-party access. Cyolo also offers application credential sharing with the user through a secure vault inside the customer's trust boundary.
Obstacle 3: No Support for On-Premise Users and Systems
Many organizations believe that on-premises users are inherently secure, but in the modern cybercrime landscape this is unfortunately far from true. In most cases today, on-premises users are only validated once, after which they can roam around inside the corporate network without being monitored or re-authenticated. Should a bad actor manage to steal the login credentials of an on-premises user or enter in another way, they would potentially have free rein to move laterally and wreak havoc from within.
To solve this problem, some zero-trust vendors route on-premises traffic to a cloud trust broker, which decrypts, re-encrypts, and sends back the data. This ‘tromboning’ can add latency to user workflows and impose a drag on their productivity. Moreover, the cloud trust broker can become an ideal target for an attacker and, ultimately, a single point of failure.
While the world has embraced the cloud, the need for on-premise security isn’t going anywhere. Cloud-based trust brokers may not work optimally when extending remote policies to on-premise users, resulting in user frustration and reduced productivity.
How Cyolo Overcomes this Obstacle
Cyolo offers the flexibility of being able to deploy on-cloud, on-premises, or in a hybrid environment. Mandated return to office is happening in many industries, and workers will expect to continue using the same workflows they’ve grown accustomed to at home. The ideal zero-trust access solution will be able to keep up with users’ needs without introducing friction, no matter where their work takes them (including the good old corporate office!). Cyolo provides the same speed and access to on-prem users as those connected remotely.
Beyond improving convenience for users and increasing productivity by removing latency, Cyolo’s ability to run fully on-premises also makes it an ideal secure access solution for operational technology (OT) environments that may be air-gapped or entirely offline. Most ZTNA solutions are designed exclusively for cloud use and therefore cannot function in such environments, leaving them vulnerable and preventing a full ZTNA deployment.
Obstacle 4: Securing Legacy Systems
Every organization uses at least one business-critical legacy system or application that cannot be replaced, modernized, or even paused long enough for a patch or upgrade. While many zero-trust vendors will simply leave legacy tools out of their equation, real zero trust means zero exceptions. Extending fundamental security controls to legacy systems is a challenge and zero-trust access solutions and strategies can’t ignore legacy systems. They must position themselves in front of tough-to-secure applications to ensure that only verified and continuously authenticated users can connect to the business’ most critical components.
Legacy systems can also pose network access risks through limited protocol support, sometimes only accessible through deprecated services like Telnet. A complete zero-trust access solution must be able to adapt to the rigid requirements of legacy systems without sacrificing security.
How Cyolo Overcomes this Obstacle
The Cyolo zero-trust access platform was purpose-built to secure all systems, including legacy and even homegrown applications. With Cyolo, organizations can retrofit legacy systems to support modern identity authentication protocols to enforce MFA and deliver single sign-on (SSO). This newly upgraded identity infrastructure then integrates with the Cyolo Identity Access Controller (IDAC) and allows users to connect to all resources and applications – but only after a successful authentication. In this way, users are able to access a mainframe or other legacy system with the same level of identity verification and security they have when accessing their favorite SaaS application.
Obstacle 5: Marketing Confusion and a Lack of Understanding
Much like “digital transformation,” the term “zero trust” at some point morphed into a buzzword that many people talk about without fully grasping its true meaning or scope. Even as zero trust makes its way from marketing fluff into real-world implementations, a lack of understanding or ability to benchmark progress may discourage organizations from adopting the zero-trust model.
Unfortunately, the current vendor landscape doesn’t help. Many services, vendors, and tools that pre-date zero trust are taking advantage of the marketing hype by claiming zero-trust capabilities that they often can’t deliver. This inevitably leads to inappropriate tool selection and shaky zero-trust implementations.
How Cyolo Overcomes this Obstacle
Cyolo is a true zero-trust access provider, providing Zero Trust Network Access in all deployment scenarios and without compromising security. Cyolo sits between the network and the application layers and provides least privileged access to valid users without granting network access. Only Cyolo has a distinctive architecture that ensures all customer assets remain with the customer at all times, preventing either accidental or malicious exposure via a vendor breach.
Finally, there are no mixed messages delivered to buyers by trying to position the company as something it is not. Founded by a former CISO and two ethical hackers, Cyolo sought from the outset to create a unified platform that enables users to access all applications, servers, desktops and files, securely and with ease – and this remains our mission today.
Conclusion
Many organizations struggle to implement zero trust properly because they lack needed tools, existing tools are insufficient, or because circumstances like legacy dependencies expose too much risk.
Cyolo delivers an unrivaled zero-trust access solution that empowers organizations of all sizes and complexity. By shattering the traditional network perimeter and securing today's identity perimeter, companies can blaze a new trail through the digital landscape.
To learn how to achieve meaningful results most quickly with your zero-trust access deployment, download our e-book, “The Complete 3-Step Guide to Implementing ZTNA.”
