In this COVID-19 era of relentless uncertainty, Zero Trust is gathering steam.
In a new Gigamon survey of more than 550 enterprise organizations from France, Germany and the U.K., 84 per cent reported seeing a rise in IT threats since the start of 2020, with work-from-home (WFH) cited as the top reason for the escalating risk landscape.
Many companies are turning to Zero Trust to deal with this darkening cybersecurity landscape. In that same Sept. 29 report, 67 per cent of enterprises said they’re adopting or plan to adopt Zero Trust within the next 12 to 36 months.
But is it possible to implement Zero Trust when so much of its successful adoption hinges on employee buy-in and behaviour? At a time when remote work is viewed as one of the biggest challenges to enterprise security, it’s a question worth asking right now.
The Zero Trust model
There were quite a few presentations about Zero Trust at this year’s virtual edition of SecTOR, the annual cybersec conference held in Toronto. I opted to livestream a session by Dave Lewis, a SecTOR veteran whose current title is global advisory CISO at Cisco Systems. His main points on Zero Trust were:
- don’t trust something just because it’s inside your firewall
- don’t trust someone just because they work at your organization
Lewis listed five key processes within a Zero Trust model:
- establish trust in user identity
- evaluate trustworthiness of the user device
- enforce access policies in the user-device combination
- enable a secure connection to all applications
- examine user-device activity to detect anomalies
Yet here’s the tricky thing: Zero Trust is not a product or solution you install and deploy. It’s an ongoing, constant process involving technology and human employees at almost every level. That includes every worker’s behaviour, knowledge, training and retraining.
Dave Lewis believes the human part of that equation is not insurmountable.
“Zero Trust is not about blocking people out. It’s about verifying,” he told the virtual SecTOR audience. “Zero Trust doesn’t mean ‘no trust.’ It just means we have to verify trust [of] users, applications and the devices they’re accessing.”
Lewis, whose pre-CISO life included a degree in archeology and classical studies, referenced one of the biggest security breaches of all time in his SecTOR presentation. In 410 A.D., Alaric, king of the Visigoths (no, that is not a Depeche Mode reference), led a three-day attack on Rome that triggered the fall of the Western Roman Empire.
Historian Donald Wasson believes the sacking of Rome was actually an inside job, writing that Alaric entered the gates of the capital “with a little help from inside the city.” Interestingly, Alaric received his military training from the Romans, and even fought alongside them in a previous battle.
The pillaging of Rome, it seems, was a malicious insider hack.
Here in 2020, insider hacks (whether malicious or unintentional) are still tormenting us. In the Gigamon survey mentioned earlier, 33 per cent of enterprise orgs say insider threats are their biggest security concern “due to disengaged employees” — as the survey’s researchers phrased it.
Can Zero Trust protocols address insider threats without eroding trust between the enterprise and its employees, who are increasingly working remotely? In the age of COVID-19, that may be a huge ask.
Will Zero Trust work for workers?
Although 67 per cent of enterprises surveyed by Gigamon already have a Zero Trust plan in the works, those who haven’t bought in said the biggest obstacle to adopting Zero Trust is their own workforce.
“Sixty-five per cent of respondents who decided not to adopt the framework cited wrong company culture as the top reason behind this decision, and getting employees on board (28 per cent) was named the most important thing to have in place before starting the journey towards Zero Trust,” said the report.
According to Gigamon, the biggest challenge to implementing Zero Trust (cited by 40 per cent of enterprises) is “the need for a culture shift.” In the comments section of the survey, some organizations noted that “employees don’t like being questioned, investigated and cross-checked” and said Zero Trust carries a “negative connotation in (its) ‘never trust, always verify’ message.”
A question of trust
The pandemic WFH trend has already chipped away at trust between employees and their bosses. As detailed in Harvard Business Review, when more than 1,200 employees in 24 countries were surveyed in April about WFH during lockdown:
- 24 per cent said their supervisor “constantly evaluated their work”
- 11 per cent said their supervisor/manager “keeps very close tabs on me by frequent checking”
- 34 per cent said their supervisors “expressed a lack of confidence in their work skills”
In short, “many (remote workers) … experienced a strong sense that their supervisor does not trust their ability to do the work,” the Dutch and Australian researchers concluded. For remote staff feeling less trusted during the pandemic, the rigors and scrutiny of a Zero Trust model might be hard to swallow.
None of this means Zero Trust can’t help organizations cope effectively with increased cyber risk during the pandemic. Nor does it mean enterprises should write off Zero Trust as undoable.
It indicates that managers should expect — and prepare for — pushback from employees already doing the best they can, from a kitchen table they never expected to be using as a desk, in a situation none of us ever imagined.