Can Zero Trust Live Up To Its Promise? Unpicking The Latest NSA Guidance

Zero trust (ZT) has been hailed as the paradigm shift that could finally turn the tide against rising cybercrime. But despite growing industry consensus and a presidential order mandating all US agencies adopt it this year, many organizations seem stuck.

Gartner predicts that just 10% of large enterprises will have a mature zero trust program in place by 2026. Now, a report from America’s National Security Agency (NSA) offers practical advice for firms struggling to develop a workable zero trust implementation plan.

Is it enough to break the logjam? We unpick the NSA’s recommendations, speak to industry experts, and suggest five ways firms can move their zero trust architecture ambitions from roadmap to reality.

Key Takeaways

  • The NSA has published new guidance to help firms implement the ‘network and environment’ pillar of zero trust.
  • As the cost and frequency of cybercrime continue to grow, the standard enterprise defensive posture needs to change.
  • There are significant challenges to bringing zero trust to life, but the benefits make it a journey worth taking.

What Is Zero Trust Architecture?

Zero trust starts from the premise that relying on a strong perimeter to keep cybercriminals out is fundamentally flawed. It assumes bad actors are already inside — actual hackers and the error-prone employees who let them in.

To that end, zero trust treats every login, file access, or use of network resources as a potential breach.

Applied across seven pillars of trust, it comes closest to achieving what military planners call ‘defense in depth,’ a system of multiple barriers and backstops that stop intruders from penetrating deep into the defended territory.

Advertisements

Haider Iqbal, Identity and Access Management Product Marketing Director at Thales, told Techopedia:

“Zero trust involves a complete paradigm shift from legacy enterprise security approaches to more modern decentralized and cloud-first approaches.”

It’s understandable that adoption has been sporadic, he adds, because zero trust “isn’t a specific type of certification that can be measured. It’s not a singular piece of technology or a security control that can be plugged in.”

The US National Security Agency's Seven Pillars of Zero Trust.
The US National Security Agency’s Seven Pillars of Zero Trust. Source: NSA

The US National Security Agency’s Seven Pillars of Zero Trust. Source: NSA

But here’s the thing: zero trust is a model — not a technology. The correct mix of applications, platforms, and devices depends entirely on the needs of each organization.

It’s comprehensive, strategic, and customized, or, put another way, complex and expensive. Despite a 2021 executive order by President Joe Biden mandating that all US federal agencies move to zero trust by 2024 by this year, it hasn’t yet achieved liftoff.

Why Is Zero Trust Architecture in the News?

According to IBM, the average cost of a cyber attack reached $4.45 million in 2023, a 15% increase over three years. Cybersecurity Ventures reckons the global cost of cybercrime last year was a whopping 8 trillion USD, heading for 9.5 trillion in 2024.

In March, the NSA published advice for implementing zero trust in the Networking pillar. Enterprises need to be worried about lateral attacks, the agency says, as hackers get better at sneaking in unnoticed and then lurking around for days, weeks, and even months as they seek valuable information to exfiltrate.

John Kindervag, who coined the term ‘zero trust model’ back in 2010, recently wrote that the NSA’s latest guidance “reaffirms the value of network security technologies in establishing any zero trust environment.”

 Sean Frazier, VP, Federal CSO at Okta, said:

“Cyber attacks are continuing to increase, and the impact of them is more damaging for all types of organizations.”

The firm’s State of Zero Trust Security report says 61% of organizations have a defined zero trust initiative in place, but “there is still a significant need for the rate of adoption to increase, and for companies to continue to update their processes as threat actors find new ways to infiltrate systems.”

The NSA’s Key Recommendations for Zero Trust Implementation

The NSA's Zero Trust Maturity Model. Source: The NSA’s Cybersecurity Information Sheet (CSI)
The NSA’s Zero Trust Maturity Model. Source: The NSA’s Cybersecurity Information Sheet (CSI)
  1. Accept That a Breach Is a Matter of When, Not If

    Hackers are creative and well-organized – even the professionals sometimes struggle to protect themselves. Organizations need measures to hinder attackers once a breach occurs.
  2. Map Data Flows

    Moving to zero trust starts by mapping existing network data flows to understand who is using which tools, applications, and information assets.
  3. Break Up Networks into Segments

    One of the key measures to stop lateral attacks is to break up networks into macro and micro segments. In practical terms, this means tightly controlling the access permissions employees have.
  4. Move to Software-Defined Networking

    When a breach inevitably happens, reaction time is a factor, one reason why software-defined networking (SDN) is a vital component. It enables networks to lock down quickly when a potential break-in occurs.
  5. Embrace Zero Trust As an Ongoing and Adaptive Process

    The move to zero trust won’t be a one-off project but a process of continual improvement and adaptation as the threat surface evolves. Enterprises will need to revisit and modify as new challenges arise.

Facing Up to Zero Trust Challenges

What will it take to accelerate zero trust adoption? There are significant hurdles to jump:

Complexity: ZT isn’t a tool you can buy or a category of solutions. It’s an approach, a mind set — an aspiration. Building a customized, seven-pillar solution takes time, patience, and a C-suite sponsor.

Legacy Technology: Existing systems may have to be integrated into a new ZT architecture. Retrofitting legacy tech to comply with zero trust principles could require significant resources.

Visibility of Data Traffic: Zero trust can only work if an organization has complete, granular visibility of the traffic flowing into, out of, and across the network. Achieving that can be challenging, especially in multi-cloud or hybrid environments.

Add to that shortlist concerns about culture change, employee experience, cost, skills shortages, integration, compatibility, compliance, scalability, and more. Zero trust can seem like a mountain to climb. But some see clear signs of progress.

Drew Epperson, VP of Federal Engineering for the US Public Sector at Palo Alto Networks, told Techopedia that zero trust adoption is gaining traction.

“There are definitely cases where organizations are not as mature as they would like to be, but in our experience everyone has started the journey and made progress.”

Epperson says legacy technologies can be a real source of struggle. The answer is to take a platform approach.

“Attempting to integrate 5,10, or 50 security products into an end-to-end Zero Trust architecture is a losing battle. We have to consolidate and adopt industry leading platforms that provide the functionality required in a natively integrated platform.”

The Bottom Line

Okta’s Sean Frazier says zero trust “is never a completed task.”

It needs to evolve as the threat landscape changes and threat actors find new ways to effectively hack companies.

Given the lack of finality and the number of pillars that need to be addressed, it’s no surprise that zero trust hasn’t fully arrived. Some of the resistance could even be emotional.

In a time when tech is focused on collaboration, sharing, partnership, and even co-opetition, ZT grates against the zeitgeist. When bringing your own device (BYOD) is the corporate norm, suggesting that employees become a business risk every time they open an app or access a file feels a bit rude.

Still, Doug Winzell, a Cyber Security Consultant at Eidolon Associates, believes the NSA has made a welcome intervention. He told Techopedia:

“The lack of adoption of security frameworks has been missing in the Zero-Trust journey. Most systems today are interconnected and available over the web. Zero Trust takes security to the Cloud and the edge.”

FAQs

What are the challenges of zero trust security?

How secure is zero trust?

Why is zero trust hard?

Is zero trust a long-term security solution?

Advertisements

Related Reading

Related Terms

Advertisements
Mark De Wolf
Tech Writer

Mark is a freelance tech journalist covering software, cybersecurity, and SaaS. His work has appeared in Dow Jones, The Telegraph, SC Magazine, Strategy, InfoWorld, Redshift, and The Startup. He graduated from the Ryerson University School of Journalism with honors where he studied under senior reporters from The New York Times, BBC, and Toronto Star, and paid his way through uni as a jobbing advertising copywriter. In addition, Mark has been an external communications advisor for tech startups and scale-ups, supporting them from launch to successful exit. Success stories include SignRequest (acquired by Box), Zeigo (acquired by Schneider Electric), Prevero (acquired…