Today, most of us are on the same page that zero-trust is the way forward to obtain maximum security in line with today’s technology. We have addressed the need for it and how one can imbibe this philosophy into their corporate ecosystem in a previous blog. You can give it a read if you want to understand Zero trust better.
Zero trust policy is surely a technology revolution. Yet, when it comes to introducing something which can possibly change how an organization functions, it is often met with some amount of resistance from its people.
Questioning and seeking explanations is in the innate character of people. Why should I pay taxes? Why should I have a correct posture? Why should I follow traffic rules? The explanation to these questions simply resonates with the fact that if you don’t—you are bound to have repercussions. Yet, it is in explaining these repercussions will you completely understand it and further reap its benefits.
Likewise, simply stating that you are at threat would not nullify the resistance. Your people, including the decision-makers, must believe in the philosophy of Zero Trust and be agreeable with the changes it brings in as well as made aware of the convenience and benefits it would bring them to pique their interest and most importantly—their confidence.
Now that we understand that resistance is justified, this simple read shows the people perspective to make Zero Trust Policy successful.
How Zero Trust Policy may bring apprehension:
Zero-trust basically means ensuring internal threats are regarded with the same alert as external and make the changes necessary to set up granular perimeters within an organization’s internal network. Micro-segmentation essentially makes silos of segments inside a network and encapsulates each segment with security. While this enables organizations to have fine-grained levels of security, it also means that employees are restricted to the segments assigned to them and require an additional process in order to move beyond it.
2. Verifies who and what:
With a motto to “Always verify, never trust”, zero trust policy itself entails verifying every individual’s access to the applications they use. It also means verifying not only the user but also the device with which access is requested, it can be the user’s personal device, workloads, machines, etc. Multi-factor authentication is used to verify these users. A user might find this a cumbersome task to remember the additional details to gain access or to simply go through an additional step.
3. Least privilege for everyone
Zero trust employs the policy of limiting the access of users to just as much as they need. A data risk report stated that 58% of companies have over 100,000 folders open to everyone—this alarming number signifies that a lot of access is open to all the employees—which further allows these accesses to be severely misused. Least privilege as a part of the zero-trust approach leaves no room for additional privilege. Sometimes, this might irk employees as the previously available free flow of access is no longer the reality and instead, they might look at it as a resistance—which in fact is quite the opposite when the Zero trust security model is incorporated effectively with the right workflows.
4. Stringent security policies
To ensure successful implementation of zero trust architecture, stringent security and access policies must be in place. Rule-based role access, governing, and automating the provisioning of this access is an essential aspect of this architecture. Also, access certifications/reviews to ensure the accesses are regularly monitored, accesses are provided in a timely manner, and revoked when no longer needed are imperative. If the multi-level workflows are not provided in a simple, seamless manner—it can result in a lot of friction to an employee’s everyday productivity. This amplifies the need to have an effective Identity and Access Management (IAM) solution which can accelerate the efficiency of your zero-trust policy.
New changes bring apprehension. Yet, there are several ways to ensure that apprehension lasts for as little time as possible. Including your employees when you start this zero-trust approach is an important aspect of it along with highlighting the advantages they are going to experience.
What employees gain with zero trust:
1. Enhances mobility experience
While zero trust calls for verification of identities at every device, it also ensures that your identity is not taken advantage of. When employees use multiple devices, it ensures that all the devices which fall under the ownership of the single user have unified policies. Thus, the user does not have to ensure separate security policies across each device which can leave room for flaws and open for attacks.
2. Application security with ease
You spend a significant amount of time building applications. This also means there are several steps to go through before an application is ready to be rolled out. Hence, when micro-segmentation is done, it protects every granular level—this implies that the employees need not spend a lot of time in ensuring the various silos of application development for ideation to deployment are secured—they are perpetually secured in an automated manner—further increasing employee productivity.
3. New responsibilities are handled with ease
It is no longer a world where people are subject to one role. Roles and responsibilities are constantly changing and updating, people learn newer skills online—imbibe them into their current role and are capable of handling several responsibilities. Also, there is a need for people to start being productive with their new roles and responsibilities in no time—there is no time to warm up. With an efficient zero-trust, employees are segregated into their roles and are provided access to applications they are entitled to in no time. This also means there is no room for access being misused in someone else’s identity.
While setting up the workflows, employee engagement is mandatory to map the business flows. This ensures there is no friction to their workflows once automated. This also helps in understanding the key areas in the flows for an application to run successfully, thus mitigating any risk of outages.
Having a real-time track of all the accesses, with regular campaigns for access reviews ensures that compliance needs are met which further allows organizations to obtain necessary certifications.
4. Reconnaissance phase of hackers nullified
Typically, a hacker spends a significant amount of time trying to break into a network using methods like credential stuffing and phishing. According to a study, the average time to identify a breach across all industries is 197 days. Within this amount of time, a staggering amount of data can be stolen. With zero-trust architecture in place, this “reconnaissance” phase of hackers can be nullified as they don’t just have to break into an external network—they have to break through several internal networks. This saves the business from possibilities of a data breach, loss of momentum due to the breach and maintains the overall health of the business. This lets the stakeholders understand the magnitude of risks that are looming today and how zero-trust policy can secure them.
5. Ease of security and use
The work environment today is no longer conventional. People can collaborate over different time zones, work remotely from anywhere, and still be productive. 69% of millennials state that they would trade other work benefits for flexible workspace options. Yet, 86% of business executives agreed data breaches are more likely to occur when employees are working out of the office. This brings in an evident conflict of interest which can only be resolved with secure remote work options. With a zero-trust policy—the employee’s identity is secured and takes the pressure off the user. Using intelligent analytics based on the user’s IP address, location, device, and usual behavior—the level of risks is identified which decides the level of authentication required to verify the user. This keeps the employee as well as the employer content.
6. Allows digital transformation
Businesses are rapidly evolving, and digital transformation is essential. When organizations are constantly worrying over keeping their networks and data secure, it impairs their ability to be their productive best. With a zero-trust policy, people can place their trust in the architecture to ensure real-time safety and focus on providing viable solutions as soon as possible.
Irrespective of the advantages of zero-trust policy, changes take some amount of time for people to adjust and co-operate. According to a study, on average, it takes 66 days before a new behavior becomes automatic—now add this with the intensity associated with the aspect of security. Any organization must understand that it is in the complete willing participation of employees that an initiative can be a success.
While embracing a zero-trust policy, besides telling about why it is necessary, you must also empower your employees with the knowledge of how it is going to be done and how big of a role they play in making it a success. According to a security practices report, 40% of data breaches were caused due to employee negligence, and another survey showed that 72% of security incidents, especially in financial services organizations were either by a current or former employee. Such facts and figures must be provided to them to get them on the same page as you are so that they see your side of concern.
They must also be made aware of how their unintentional bad security practices can lead to an organizational breach—following best practices in password usage and their everyday interactions with the web are essential in ensuring their digital identities and in turn the organization is secure. The people in your organization must know that it is more than just verifying them for every access, it is verifying to ensure their identity is not misused.
The people in your organization must know for certain that when you say zero-trust, it is not a philosophy of an organization doubting its people, it is about people ensuring their digital identities are always within the realm of trust.