How legacy tech is hindering zero trust adoption and what to do about it
Zero Trust has been at the forefront of expert debates during this dedicated month for cybersecurity awareness and in this post, we look at the major reason a lot of businesses are yet to implement the concept.
Legacy technology is the biggest hindrance to the adoption of Zero Trust technology. This is according to the ‘Zero Trust Strategies for 2022 Report’ from cybersecurity software and services company Optiv. 44% of the 150 businesses interviewed stated that legacy tech with no support for zero Trust was a major obstacle to the implementation of the technology. This argument was also echoed by the 2022 Zero Trust Research Report polling 300 IT and program managers across US federal, civilian, and defence agencies, under executive orders from the president to implement Zero Trust.
Other reasons issued by organisations for not adopting Zero Trust include lack of IT expertise and the cost of implementation.
“Legacy technologies in general tend to be very static in nature and not designed to handle the dynamic rule sets necessary to enforce policy decisions,” says Imran Umar a senior cyber solution architect at Booz Allen Hamilton and currently charged with overseeing the implementation of zero-trust initiatives in his firm.
In a separate report dubbed state of Zero Trust Technology 2022, 97% of the respondents noted that they either had a zero trust initiative in place or were working on creating one in the next 12-18 months.
Zero Trust is a new security model that looks to overcome the shortcomings of previous security models by ensuring that no user, device, or connection should be trusted until it verifies itself as trustworthy. Verification is done through a series of authentication processes. And even after initial access, Zero Trust ensures that users, devices, and software systems have re-establish trust anytime they need access to other networks and systems as well as enterprise data.
This is different from the traditional approach that relied on a perimeter defence system to lock out individuals trying to gain unauthorised access to your network. This method has proved ineffective since in most cases once a malicious actor gains access to the network they have unlimited access to other systems and data.
However, experts say that legacy systems should not discourage organisations from adopting zero trust. Instead, they should look to adopt pieces of the technology that your legacy systems can support since Zero Trust is multi-layered.
“The general approach with zero trust, whether you’re dealing with legacy or not, is a phased approach,” says Torsten Staab, chief innovation officer for Raytheon Intelligence & Space’s Cyber, Intelligence and Services business unit. “With zero-trust security, it’s all about multiple levels; it’s not just looking at one. So start with one and then roll out more capabilities.”
Staab uses the example of multi-factor authentication saying that adding the technology to legacy systems should not be a problem.
“You don’t have to do it all at once; no one expects you to be fully compliant in all areas. But the traditional approach — perimeter-based security — is not working, and that should lead you to zero-trust security. And there are things that can be done, things you can do with your existing infrastructure to move toward zero trust. It’s doable, but you have to have a willingness,” Staab concluded.