Tenable and the Path to Zero Trust

The simplicity of the zero-trust concept belies the complexity of implementing it in most large organizations. Here are four factors to consider before you begin the journey.

Zero trust, a cybersecurity concept first introduced by Forrester in 2010, is emerging as the answer du jour for a wide range of challenges facing today's digital enterprise. It accommodates the perimeter-busting work-from-home trend necessitated by the COVID-19 pandemic. It addresses the fundamental issues raised by the SolarWinds breach. And it complements the cloud-based infrastructure, platforms and applications that are fundamental to digital transformation. 

Prior to COVID-19, you could say the world was trundling toward a zero-trust future at a speed of about 10 mph. In the post-COVID era, we find ourselves barreling toward zero trust at a pace that feels more like 90 mph.

The premise of zero trust is relatively straightforward. According to the U.S. National Institute of Standards and Technology (NIST), zero trust is "a cybersecurity strategy that focuses on moving network defenses from wide, static network perimeters to focusing more narrowly on dynamic and risk-based access control to enterprise resources, regardless of where they are located." 

While we at Tenable agree that the realities of today's work environment have rendered the notion of a perimeter obsolete, we also believe the simplicity of the zero-trust concept belies the complexity of implementing it in most large organizations. The Zero Trust Progress Report, released in February 2020 by Cybersecurity Insiders and Ivanti (formerly Pulse Secure), surveyed 400 cybersecurity professionals and found 47% lack confidence applying a zero-trust model to their organization's security architecture. 

In its August 2020 report, Implementing a Zero Trust Architecture, NIST debunks the  "misconception that zero trust architecture is a single framework with a set of solutions that are incompatible with the existing view of cybersecurity." Instead, the agency advises that zero trust should be viewed as "an evolution of current cybersecurity strategies." The report further articulates three key challenges:

1. No single solution exists for zero trust, but instead requires integration of many different technologies of varying maturity. Indeed, The Forrester Wave™: Zero Trust eXtended Ecosystem Platform Providers, Q3 2020 evaluated the top 15 providers. NIST states: "The spectrum of components within the wider enterprise is vast, with many products focusing on a single niche within zero trust and relying on other products to provide either data or some service to another component (e.g., integration of multifactor authentication for resource access)." 

2. Migrating an existing IT ecosystem, particularly one with legacy applications and systems, requires investments in time, resources and technical ability to retool them to adhere to zero-trust principles. We believe the resource investment required makes adhering completely to a zero-trust model across an enterprise simply not possible today. Further, NIST notes that a lack of standards makes it difficult for organizations to assess the compatibility of various products, making it difficult to build a five-year roadmap. 

3. Security concerns, such as a compromise of the zero-trust architecture control plane, must be thoroughly assessed and vulnerabilities identified and mitigated. In our view, no organization should begin a zero-trust journey without first nailing the basics of cyber hygiene. According to NIST, "An enterprise should reach a baseline of competence before it becomes possible to deploy a significant [zero trust-focused] environment. This baseline includes having assets, subjects, business processes, traffic flows and dependency mappings identified and cataloged for the enterprise. The enterprise needs this information before it can develop a list of candidate business processes and the subjects/assets involved in this process." We believe this baseline requires full visibility into the entire attack surface, continuous dynamic monitoring of assets and user permissions and the means to prioritize remediation based on risk.


Getting started on the zero-trust journey: consider these four factors 

Describing the implementation of zero-trust architecture as a "journey," rather than a wholesale replacement of infrastructure or processes, NIST predicts that "most enterprises will continue to operate in a hybrid zero-trust/perimeter-based mode for an indefinite period while continuing to invest in ongoing IT modernization initiatives." 

No matter where you are on your zero-trust journey, we believe the four functional components of NIST's zero-trust model also serve as the building blocks of a sound cybersecurity strategy:

1. Data security, including all the data access policies and rules used to secure information, and the means to protect data at rest and in transit. 

2. Endpoint security strategy, technology and governance to protect servers, desktops, mobile phones, IoT and operational technology (OT) devices from threats and attacks, as well as to protect the enterprise from threats from managed and unmanaged devices.

3. Identity and access management, including the strategy, technology and governance for creating, storing and managing enterprise user accounts and identity records and their access to enterprise resources. 

4. Security analytics, encompassing all the threat intelligence feeds and traffic/activity monitoring for an IT enterprise and continuously monitoring those assets to actively respond to threats or malicious activity. 


Each of the above components requires:

• Visibility into the full range of connected assets on a network; 

• Continuous, dynamic assessments of these assets; 

• Dynamic monitoring of user databases such as Active Directory for misconfigurations and lateral movement; and

• Prioritization of patching efforts based on detected threat activity and business risk. 


We at Tenable believe zero trust is a model that every enterprise should strive toward. That's why we have always advocated that every single endpoint and device in the environment should be assessed for security, misconfigurations and missing updates. At the same time, we recognize the very real challenges involved in implementing these principles and advise organizations to invest in the cybersecurity fundamentals before embarking on a zero-trust journey.