The Argument Against Zero Trust: Is It Valid?
You may come across skeptics of the Zero Trust model who argue that it’s an impractical solution. But do the negatives truly outweigh the positives?
With the rise of the Internet of Things (IoT) and proliferation of connected devices, organizations of all sizes are searching for new ways to protect themselves against bad actors looking to take advantage of vulnerabilities.
While there are a variety of approaches to help you stay cybersecure, the Zero Trust model has emerged as a highly effective solution. Zero Trust is a security framework based on the premise that you cannot trust any user or device trying to connect to your network. As a result, it requires that all users — whether they’re inside or outside your organization’s network — are authenticated, authorized, and continuously validated for security configuration. Only then are users or devices granted access or allowed to maintain access to a network’s data and applications. This continuous monitoring and validation is designed to ensure that anyone accessing your network has the necessary attributes and privileges to access it at that given time.
Yet, as is often the case with new solutions, some IT leaders have made arguments against the Zero Trust model. In this article, we’ll walk through some of these arguments and see if they hold any merit.
The Arguments Against Zero Trust
The following are arguments often made against Zero Trust. Here’s what you need to know to stay fully informed.
One of the biggest concerns people raise about switching to a Zero Trust model is the issue of technical debt. Technical debt is generally defined as the accumulated cost in both effort and actual work caused by choosing quicker solutions when you need to perform system upgrades. With each shortcut you take over time, your technical debt grows.
Simply put, the amount of work you will need to do to upgrade and update your systems when the time eventually comes to perform a large-scale digital transformation increases exponentially each time you kick the can down the road. Technical debt is typically an issue for both legacy systems and for custom applications, which are rarely fully transformed given all the work that goes into redesigning, recoding, and redeploying them each time you want to update your system.
For organizations that have accumulated a lot of technical debt over the years, the prospect of having to finally settle that debt in order to create a functional Zero Trust architecture can seem daunting. The amount of work that would be required is the biggest reason people often bring up technical debt as an argument against Zero Trust — often forgetting the fact that technical debt can itself be seriously costly because it stands in the way of both network and security transformation.
Another common concern skeptics of Zero Trust may raise is that legacy applications, operating systems, and infrastructure won’t work with the framework, meaning that implementing Zero Trust will require a serious financial investment and a switch to more modern systems. This is a common worry when it comes to any digital transformation, especially those tied to security. That’s because legacy security architectures typically stack their security devices as a parameter around geographically fixed locations that contain data centers. These systems are not aware of lateral movement or least privilege, and their authentication models are not sufficiently dynamic to support Zero Trust. A Zero Trust implementation typically requires a layered (or “wrapper”) approach to check privilege and authenticate both devices and users — something that can seem impossible to implement using legacy systems.
For those who oppose Zero Trust, the argument is that the cost of updating those systems is more significant than the value of maintaining security.
The prevalence of peer-to-peer (P2P) communication models is another point of concern for those opposed to Zero Trust. P2P systems are extremely prevalent in wireless mesh networks and Windows operating systems and are often automatically turned on without organizations even realizing they have them in place. These systems disrupt the Zero Trust framework since they communicate in a decentralized manner, sharing data with little to no verification. That breaks the micro-segmentation and least privilege models used in Zero Trust.
The good news is that it’s possible to work around these concerns with a quality cybersecurity partner who can check if you can turn off P2P and connect you to solutions that will increase security.
Maintenance may seem like a more minor issue than some of the others discussed above, but it still makes up one of the major arguments against Zero Trust. Unlike some security solutions that can be configured, deployed, and then left unmanaged for long periods, Zero Trust is an approach rather than a single solution, so it requires ongoing management to attain continuous protection.
Given that your business is continuously changing, the only way to ensure your Zero Trust framework continues to maintain security across those changes is through ongoing administration that includes updating access controls, keeping permissions accurate, and more. In the long term, this regular maintenance can become costly and time-consuming.
Debunking the Arguments Against Zero Trust
While each of the above arguments against Zero Trust has reasonable points, it’s important to remember that many of these challenges would hold true for any quality security solution or approach — not just Zero Trust. The cost of addressing technical debt and upgrading legacy systems can seem daunting, but it’s actually a small price to pay considering the massive increase in security you get in return.
Organizations should think of these costs not as pure expenses, but rather as investments in security similar to installing a firewall or implementing encryption. Plus, upgrading those old systems will have far-reaching benefits when it comes to broader digital transformation, allowing your business to take advantage of other new developments.
Further, it’s important to note that technical debt and legacy systems don’t actually prevent you from implementing Zero Trust. In fact, though it’s true that a Zero Trust implementation typically requires a layered (or “wrapper”) approach to check privilege and authenticate devices and users that may not be possible with every old system, you can still implement the framework with your legacy systems. You’ll just need to handle a bit more of the monitoring yourself instead of letting your systems take care of it automatically.
The plain fact is that the challenges of Zero Trust are outweighed by the benefits of the security framework. Zero Trust delivers a greater level of user identification and access security than other measures. By assuming that any user or device could be a threat, Zero Trust reduces the chances of a bad actor managing to get through to access your data.
If you’re concerned about implementing a Zero Trust model, remember that you don’t need to do it alone. TTI is here to help you navigate these challenges, from technical debt and legacy systems, to P2P communications and system maintenance. Remember: implementing Zero Trust is far easier (and cheaper) than recovering from a successful security breach.
Making the Most of Zero Trust
If you’re ready to start making the most of the strengths offered by Zero Trust, you need a device discovery solution that will let authorized users in while keeping bad actors out. Aruba ClearPass Device Insight is that solution. The AI-powered device discovery and profiling tool gives you a complete view of your network and everything on it. It collects network traffic and extracts key device attributes — including applications accessed, ports, protocols, and volume — and uses that information to fingerprint each device based on its actual behavioral attributes. This process ensures that every device and user that touches your network is properly vetted.
If you’re looking to implement a successful Zero Trust policy, the experts at TTI can deliver all the support you need to get your network, applications, and systems ready for the new framework. Contact us today to learn how TTI can help keep your network cybersecure.
By Craig Badrick