What are the country’s teething technical challenges and missteps in zero trust implementation? CybersecAsia.net interviews an expert for the answers…

As the adoption of zero-trust frameworks continues to grow, organizations are still grappling with integration challenges when implementing this approach in India.

Despite an increase in organizations here deploying zero trust strategies, the number of complete implementations has actually decreased, according to Fortinet.

In a recent interview with CybersecAsia.net, the firm’s Senior Director of System Engineering (India & SAARC), Michael Joseph, shed light on the factors contributing to these challenges.  

CybersecAsia: Why do organizations still face integration challenges in implementing zero trust? 

Michael Joseph (MJ): According to our own research, zero trust is more complex than anticipated, with challenges arising from integrating multiple-point solutions. 

Zero trust implementation challenges arise due to the limitations of remote-only Zero Trust Network Access (ZTNA) solutions. These solutions fail to support hybrid work models effectively, leading to separate policies for remote and on-premises users. However, true zero trust requires a consistent access policy that follows users regardless of their location.  

CybersecAsia: What are some of the key factors or barriers that contribute to these integration challenges?  

MJ: The complexity of networks (with applications spread across cloud and on-premises environments), combined with users transitioning between home and office, can contribute to the integration challenges.

Furthermore, many vendors primarily focus on cloud-only solutions, leaving organizations with little guidance for implementing zero trust across diverse environments.

To overcome these barriers, organizations zero trust solutions designed to span multiple environments, integrating networking, security, and access into a unified framework. This approach allows for the seamless extension of zero trust to all users and applications, while ensuring end-to-end visibility and control.

Michael Joseph, Senior Director of System Engineering, India & SAARC, Fortinet

CybersecAsia: In which specific areas or stages of the integration process do organizations commonly encounter the most difficulties?  

MJ: Implementing zero trust for non-user-associated devices, known as zero-trust access (ZTA), presents a significant challenge.

As more enterprises adopt headless network-connected devices such as sensors and IoT devices, integrating them into the zero trust framework becomes essential. Network access control solutions are crucial for discovering and controlling access of these devices. By applying zero trust principles and granting the minimum necessary access, organizations can secure non-user-associated devices and prevent potential cyber threats. 

CybersecAsia: From your perspective what are the common misconceptions or mistakes organizations make that could result in integration challenges? 

MJ: The terminology used in the zero trust domain often causes confusion. Different vendors use the term “zero trust” to mean different things.

Furthermore, “zero trust access” (ZTA) and “zero trust network access” (ZTNA) are often used interchangeably, further complicating matters.  

It is important to understand each vendor’s specific definition when discussing zero trust solutions.

Zero trust focuses on deriving trust from a mix of identity and context-based aspects, while ZTA emphasizes controlling network access based on user roles; and ZTNA revolves around application access as an alternative to VPNs. 

CybersecAsia: Based on your experience, what critical components or best practices should organizations consider to implement zero trust smoothly? 

MJ: Organizations can adopt a holistic approach to zero trust, prioritizing visibility and control of all users and devices on and off the network.

Instead of adopting a piecemeal approach, they need to prioritize integrated solutions that cover zero trust, NAC, segmentation firewalls, and multi-factor authentication, simplifying management and minimizing security gaps, via the following key practices:

  • Discover and identify devices: Implement network access control solutions to discover and identify devices seeking access to the network
  • Segment the network: Utilize micro-segmentation to assign devices to appropriate network zones based on factors such as device type, function, and purpose. Intent-based segmentation needs to align with specific business objectives.
  • Identify users and roles: Establish user identity and roles within the organization, applying a ‘least access policy’ that grants access based on user roles and provides additional access on a case-by-case basis. Also, integrate authentication and authorization solutions with the network security infrastructure for automated enforcement.