Zero trust promises better security in a highly interconnected world, but many of the tenets of zero trust are contradictory to entrenched practices and ideas. Getting beyond MFA into a true zero trust environment isn't an incremental change, it's a radical restructuring of how resources are secured and accessed.
- Encrypt everything - True end to end encryption means that data packets can't be inspected for malware in between the source and destination. Are your endpoints ready? Can your policies adapt?
- Micro-segmentation - Preventing lateral movement of an attacker requires breaking up the smooth flow of data across a network. But segmentation is inherently inefficient. Is your network able to meet the need for speed?
- Deny all by default - Users are all in favor of security, until it impacts their ability to work. If access is denied by default, do you have processes in place to quickly approve access when needed? Are the users (including those in the c-suite) on board?
- Continuous authorization - Using trust scores works well in white papers, but do you know what the rules governing access to your resources really are? Does your IT department have the authority to drop a user mid-transaction because of a change in their trust score? Have you decided what your risk tolerance is?