Trust is a luxury IT leaders have learned they cannot afford when it comes to identity and access management.
In the past decade-plus, the concept of the traditional network security perimeter has eroded. What has not eroded is the need for organizations to reduce their attack surface and control access. This reality has cemented Zero Trust as a foundational component of cybersecurity. Still, after 15 years, organizations are learning that the path to Zero Trust is not always straight.
"Many think Zero Trust is something you can just buy," says Bob Lyons, Senior Solutions Engineer at Okta. "But it's not a single product; it's a strategic framework and philosophy that requires a combination of policies, processes, and integrated technologies. You can't just purchase a solution and be Zero Trust compliant."
Lyons was the primary technical contributor from Okta for Special Publication (SP) 1800-35 from the National Institute of Standards and Technology (NIST), which was released in June. The document provides insights on how to build a Zero Trust Architecture (ZTA) from 24 industry collaborators, including Okta. It also showcases 19 implementation examples designed using commercial, off-the-shelf solutions.
"We're seeing a clear recognition of its necessity, particularly as organizations grapple with increasingly distributed workforces, multi-cloud environments, and sophisticated threat landscapes," says Lyons.
Making Zero Trust a reality, however, is a journey of small steps.
In the beginning, there was trust
Traditional security models made the assumption that everything inside the network was trustworthy. However, as breaches became more common, it became clear that a new approach was needed — one that did not blindly extend unending trust to users after authentication. This trust-but-verify model was eventually replaced with a more stringent approach: never trust, always verify. Zero Trust was born.
Today, the perimeterless nature of businesses has led to Zero Trust becoming table stakes. Yet myths about Zero Trust still exist. Two in particular persist: the idea that Zero Trust is a product and the be-all end-all of cybersecurity strategy, says Alper Kerman, one of the co-authors of SP 1800-35.
"Zero Trust is not a replacement for existing security measures, but rather a security strategy that needs to be integrated with other security approaches to create a more robust and holistic security posture," says Kerman.
This is the goal of SP 1800-35 guidance: to help organizations as they move down the path of implementation with real-world examples. To get started, NIST recommends that organizations follow these steps:
Discover and inventory the existing environment
Create access policies that support business use cases
Identify existing security capabilities and technology
Use a risk-based approach centered on the value of data to help eliminate policy gaps
Implement Zero Trust components and incrementally leverage deployed security solutions
Verify the implementation to support Zero Trust outcomes
Continuously improve and evolve in response to changes in the threat landscape, mission, technology, and requirements
Integrating Zero Trust principles into existing, often heterogeneous IT environments may be no easy task, Lyons says, adding that cultural resistance to change can pose significant hurdles as well.
"In recent years, the rapid adoption of AI has introduced new facets to these challenges," he says. "While AI offers immense potential for enhancing Zero Trust capabilities through automated threat detection and adaptive access policies, it also presents new attack vectors and data integrity concerns that organizations must proactively address within their Zero Trust frameworks. It's a continuous evolution."
Measuring achievement
Tracking success is critical, and starts with security leaders establishing a clear baseline of the security posture of their environment, Lyons adds. Some key metrics to consider, he continues, are the percentage of known threats successfully identified and blocked by Zero Trust controls, the percentage of users utilizing multi-factor authentication, and monitoring the success rate of denying unauthorized access.
"Regular audits and reviews of policies are also vital for adapting to evolving threats and shifting business needs," Lyons says, adding that cultivating a strong culture of security with ongoing employee training will facilitate continuous vigilance.
Kerman says organizations can also track the number of security breaches, threat detection time, and how frequently anomalies and vulnerabilities are discovered due to increased continuous monitoring.
"Analyzing different types of logs and telemetry obtained from the environment can help tighten up security by tweaking existing access policies in place, as well as creating and adding more granular new ones," Kerman says. "ZTAs do become more resilient throughout time by leveraging these types of metrics and different types of logs to strengthen the organization's security posture."
A strategic priority
"Zero Trust isn't just tech; it's strategic," Lyons says.
Organizations should focus their Zero Trust efforts on a critical, high-value asset or specific network segment. Linking Zero Trust goals to business objectives, he notes, can help increase the likelihood of getting executive buy-in and the resources needed to make a Zero Trust Architecture a reality.
"For instance, if protecting intellectual property is key, the scope should target R&D environments," Lyons explains. "Aligning Zero Trust with business outcomes helps prioritize efforts and demonstrates clear value."
To learn more about why identity is the new security perimeter, read The ‘superuser’ blind spot: Why AI agents demand dedicated identity security.
