Does implementing Zero Trust mean sacrificing usability?

363 views1 Upvote7 Comments

CISO in Software, 51 - 200 employees
Zero Trust can mean a lot of things to different people. To me, the definition is: don't trust but verify everything in your network, everything that's coming in from your perimeter and even what's inside your network. Don't even trust your users. At the same time, we have to ensure everything works. Everything has to be seamless to the end user and security should be invisible. I'm still working on figuring out how we accomplish that.

It's easy from the outside—we can block everything with a firewall, but what do we do from the inside? Phishing emails are getting better and better, and people click on them. I get tracked. I don't click on anything, but there's only so much awareness training we can do. So how can we mitigate all these clicks that come through?
VP IT & Ecommerce in Finance (non-banking), 51 - 200 employees
We have some zero trust capabilities within the office, it’s just that we have to turn those on and that’s the added inconvenience. We take pride in service, and if I need to service a policyholder immediately I can’t be without access or have to take time to figure out my dual-factor authentication. Even though it's become very easy, there is still that added hindrance.
Managing Partner in Services (non-Government), 11 - 50 employees
When we're talking to the board, we ask, what are the assets that you want to protect, and what is it worth to you to protect them? Years ago I had top secret clearance and we had very secure computers that were tempested. You had to be in the physical room with a wire attached to that machine to talk to it. There were no outside connections. So we could make you very secure but your laptop will take 17 minutes to boot up while you go get a cup of coffee and do something else. Where do you work in usability?

You've got to prioritize what needs protecting. If our marketing communication (MarCom) gets compromised, do we care? No. But if a leading edge semiconductor company’s latest design on lithography gets compromised, that’s a problem. But if hackers get your MarCom, you probably don't care. So not everything is equal. That’s when you need to have little insulated islands of smaller hard shells with soft centers because you've still got to have the soft centers to have functionality.
Director of IT in Manufacturing, 5,001 - 10,000 employees
No, Zero trust for mitigate our risk not sacrifice for us
Chief Security Officer in Software, 10,001+ employees
No. The whole point of zero trust is it should provide a better experience for your employees and therefore enhance usability.
CTO in Software, 201 - 500 employees
By itself it doesn't mean anything. It's an approach, a security model that can be applied to a specific area (e.g. ZTN) or broadly across the Enterprise. As was already noted in other comments, it's about eliminating any explicit or implicit trust and focusing on verifying everything (e.g. attestation of endpoints, authentication of users and connections, etc.) Based on the properties of the "as-is" and "to-be" environments and the specifics of the implementation, ZT can potentially improve usability or it can have an opposite effect.
Director of IT in Healthcare and Biotech, 501 - 1,000 employees
In the way we approached zero trust, or just meant more training prior to full golive to prevent users from getting frustrated.

Content you might like

CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
44.8k views132 Upvotes322 Comments