Roland Daccache, Systems Engineering Manager for META at CrowdStrike, says to ensure a frictionless Zero Trust journey, organisations should consider using a cloud-native security platform approach

How has the Zero Trust Network Architecture evolved since it was first coined in 2010?
Like many things in our industry, Zero Trust is a concept that can be distorted. For years, vendors have tried to redefine Zero Trust to align with their current product capabilities. But Zero Trust is not a point solution.

It’s about building a defense-in-depth strategy to ensure all assets have identity-based perimeters that are continuously monitored for user behaviors and device attributes to ensure that least-privileged access to enterprise resources is continually enforced. This must happen no matter where users, applications, or devices are located. Zero Trust is fundamentally dynamic and requires a modern approach to security to be effective.

Do you believe that technologies that support Zero Trust are moving into the mainstream?
Yes, and good solutions should make it easy for companies to implement Zero Trust. CrowdStrike, for example, do all of the heavy liftings for enterprise security teams to enforce frictionless Zero Trust with its industry-leading CrowdStrike Security Cloud — the world’s largest unified, threat-centric data fabric to stop breaches. The CrowdStrike Security Cloud processes trillions of events, enabling hyper-accurate attack correlation and real-time threat analytics and response that can scale any deployment model, whether they are multi-cloud or hybrid enterprises that may also run legacy and proprietary applications.

Do you believe that enterprise IT departments today require a new way of thinking because the castle itself no longer exists in isolation as it once did?
Yes, with digital transformation and remote work, IT organizations need to adjust to today’s new way of working. It is vital for IT departments to move away from traditional network security which follows the “trust but verify” method. In the traditional model, users and endpoints within the organization’s network perimeter were assumed to be trustworthy. This put the organization at risk from malicious internal actors and rogue credentials; it also inadvertently granted wide-reaching access to unauthorized users once inside the network.

Zero Trust is often used as an alternative to the virtual private network (VPN) model, which grants total network access to verified users. Given the shift to remote work, the use of VPN is increasingly seen as a cybersecurity risk, as organizations find it more difficult to monitor and analyze network traffic and application use across a wide variety of locations and devices.

How can companies get started with zero trust?
Zero Trust can be challenging to implement due to the complexity of the technology stack, cross-departmental organizational challenges, and mapping out a process for budgeting and execution. Although each organization’s needs are unique, I recommend the following three steps to move to Zero Trust:

1. Visualize: In this stage, the intent is to understand all of the resources, their access points, and the risks involved. Discover endpoints, identities, and applications, visualize attack paths, and discover and assess multi-cloud workloads.
2. Mitigate: In this stage, an organization should be ready to detect and stop threats or mitigate the impact of the breach in case a threat cannot be immediately stopped. At this point, endpoints should be protected, as well as identities, and workloads in real-time with behavioral and real-time analytics. Identities should be automatically segmented and telemetry enriched with threat context and intel.
3. Optimize: At this stage, the goal is to extend protection to every aspect of the IT infrastructure and all resources regardless of location without creating a poor user experience (which can lead to non-compliance and lower productivity). The key goal is to deploy conditional access for continuous verification without compromising a positive user experience. Best practices to avoid this include eliminating multi-factor authentication fatigue with risk-based, conditional access even for privileged users, extending multi-factor authentication protection to legacy systems to ensure no-gap coverage, and detecting and responding to threats for public clouds and SSO credentials even if a sensor/agent is not possible to deploy.

To ensure a frictionless Zero Trust journey, organizations should consider using a cloud-native security platform approach to achieve superior protection and performance without the overhead of managing terabytes of data, threat feed, and hardware investment.

What according to you are the limitations of zero trust?
Zero Trust Network Access (ZTNA) functions as a next-gen VPN replacement in that it ensures that only approved, authenticated users are granted access to an IT environment or resource. At the same time, it does not actively monitor or mitigate threats once a user has been granted access to a trusted zone.

Further, while secure access via ZTNA is a critical component of a comprehensive cybersecurity strategy, it is not effective at stopping modern cyberattacks such as ransomware or supply chain attacks. ZTNA must be combined with a secure access service edge (SASE) solution and other security tools and solutions to ensure complete protection.

In addition, ZTNA does not provide underlying identity protection capabilities, such as gathering activity data or endpoint details. In this way, the ZTNA solution cannot determine a baseline of standard user behavior, making it impossible to detect anomalies or deviations. Finally, most ZTNA solutions require a gateway, similar to what is used by a VPN. This requires careful planning to ensure the strongest possible protection without introducing significant friction within the user experience that could prevent valid users from accessing the tools and resources they need to perform their jobs.