Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe
  • Twitter
  • Facebook
  • LinkedIn

Tenable and the Path to Zero Trust

Tenable and the Path to Zero Trust

The simplicity of the zero-trust concept belies the complexity of implementing it in most large organizations. Here are four factors to consider before you begin the journey.

Zero trust, a cybersecurity concept first introduced by Forrester in 2010, is emerging as the answer du jour for a wide range of challenges facing today's digital enterprise. It accommodates the perimeter-busting work-from-home trend necessitated by the COVID-19 pandemic. It addresses the fundamental issues raised by the SolarWinds breach. And it complements the cloud-based infrastructure, platforms and applications that are fundamental to digital transformation. 

Prior to COVID-19, you could say the world was trundling toward a zero-trust future at a speed of about 10 mph. In the post-COVID era, we find ourselves barreling toward zero trust at a pace that feels more like 90 mph.

The premise of zero trust is relatively straightforward. According to the U.S. National Institute of Standards and Technology (NIST), zero trust is "a cybersecurity strategy that focuses on moving network defenses from wide, static network perimeters to focusing more narrowly on dynamic and risk-based access control to enterprise resources, regardless of where they are located." 

While we at Tenable agree that the realities of today's work environment have rendered the notion of a perimeter obsolete, we also believe the simplicity of the zero-trust concept belies the complexity of implementing it in most large organizations. The Zero Trust Progress Report, released in February 2020 by Cybersecurity Insiders and Ivanti (formerly Pulse Secure), surveyed 400 cybersecurity professionals and found 47% lack confidence applying a zero-trust model to their organization's security architecture. 

In its August 2020 report, Implementing a Zero Trust Architecture, NIST debunks the  "misconception that zero trust architecture is a single framework with a set of solutions that are incompatible with the existing view of cybersecurity." Instead, the agency advises that zero trust should be viewed as "an evolution of current cybersecurity strategies." The report further articulates three key challenges:

  1. No single solution exists for zero trust, but instead requires integration of many different technologies of varying maturity. Indeed, The Forrester Wave™: Zero Trust eXtended Ecosystem Platform Providers, Q3 2020 evaluated the top 15 providers. NIST states: "The spectrum of components within the wider enterprise is vast, with many products focusing on a single niche within zero trust and relying on other products to provide either data or some service to another component (e.g., integration of multifactor authentication for resource access)." 

  2. Migrating an existing IT ecosystem, particularly one with legacy applications and systems, requires investments in time, resources and technical ability to retool them to adhere to zero-trust principles. We believe the resource investment required makes adhering completely to a zero-trust model across an enterprise simply not possible today. Further, NIST notes that a lack of standards makes it difficult for organizations to assess the compatibility of various products, making it difficult to build a five-year roadmap. 

  3. Security concerns, such as a compromise of the zero-trust architecture control plane, must be thoroughly assessed and vulnerabilities identified and mitigated. In our view, no organization should begin a zero-trust journey without first nailing the basics of cyber hygiene. According to NIST, "An enterprise should reach a baseline of competence before it becomes possible to deploy a significant [zero trust-focused] environment. This baseline includes having assets, subjects, business processes, traffic flows and dependency mappings identified and cataloged for the enterprise. The enterprise needs this information before it can develop a list of candidate business processes and the subjects/assets involved in this process." We believe this baseline requires full visibility into the entire attack surface, continuous dynamic monitoring of assets and user permissions and the means to prioritize remediation based on risk.


Getting started on the zero-trust journey: consider these four factors 

Describing the implementation of zero-trust architecture as a "journey," rather than a wholesale replacement of infrastructure or processes, NIST predicts that "most enterprises will continue to operate in a hybrid zero-trust/perimeter-based mode for an indefinite period while continuing to invest in ongoing IT modernization initiatives." 

No matter where you are on your zero-trust journey, we believe the four functional components of NIST's zero-trust model also serve as the building blocks of a sound cybersecurity strategy:

  1. Data security, including all the data access policies and rules used to secure information, and the means to protect data at rest and in transit. 

  2. Endpoint security strategy, technology and governance to protect servers, desktops, mobile phones, IoT and operational technology (OT) devices from threats and attacks, as well as to protect the enterprise from threats from managed and unmanaged devices.

  3. Identity and access management, including the strategy, technology and governance for creating, storing and managing enterprise user accounts and identity records and their access to enterprise resources. 

  4. Security analytics, encompassing all the threat intelligence feeds and traffic/activity monitoring for an IT enterprise and continuously monitoring those assets to actively respond to threats or malicious activity. 


Each of the above components requires:

  • Visibility into the full range of connected assets on a network; 

  • Continuous, dynamic assessments of these assets; 

  • Dynamic monitoring of user databases such as Active Directory for misconfigurations and lateral movement; and

  • Prioritization of patching efforts based on detected threat activity and business risk. 


We at Tenable believe zero trust is a model that every enterprise should strive toward. That's why we have always advocated that every single endpoint and device in the environment should be assessed for security, misconfigurations and missing updates. At the same time, we recognize the very real challenges involved in implementing these principles and advise organizations to invest in the cybersecurity fundamentals before embarking on a zero-trust journey.

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Get a Demo

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a Demo

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.

Request a Demo

Tenable.ad

Continuously detect and respond to Active Directory attacks. No agents. No privileges. On-prem and in the cloud.