17 IT leaders on why your organization needs zero trust, with tips on implementation
Top Business Tech shares the insight from 17 IT leaders on why organizations of all sizes need to implement zero trust, with tips on how to do so.
As the drastic rise in cyberattacks in the last year and a half have illustrated, zero trust is no longer simply “a nice thing to have”. Instead, it is now a security solution that organizations of all sizes must implement to protect infrastructure from internal and external threats.
We hear from several CTOs, who share their views on zero trust and their advice on how best to implement it.
Lee Wade, CEO, Exponential-e
How important is zero trust?
Almost every cybersecurity company will tell you that home networks are inherently insecure, and often unprotected by firewalls. You might have the security in place to protect your house from physical break-ins. Still, cyberattackers can break into home networks easily – even through IP-enabled devices, like your fridge or your kettle – and once inside, tunnel and break into their employer’s corporate network. Who knew making a cup of tea could be so damaging?
Businesses need a solution that automatically extends corporate-level security into each employee’s home, making all offices – whether at home or on-site – equally secure, and truly delivering peace of mind as a service. Tools like SD-WAN help deliver this by integrating on-premise level security, and zero-trust access control, so employees’ homes – and all connected items within them – become a secure extension of the corporate or office networks. And yes, that does even include the games consoles that kids have been using when meant to be doing schoolwork.
Altaz Valani, Director of Insights Research at Security Compass
How important is zero trust?
In the fight against criminal activity, there are several approaches. Some focus on specific, concrete technologies (e.g. Balanced Development Automation, SIEM, code scanning, Threat Modelling, etc), others focus on design (e.g. Privacy by Design, Secure by Design, Compliance by Design, etc), and others focus on philosophy (e.g. zero trust, BeyondCorp, DevSecOps, etc).
It is generally with the more abstract approaches that we see the greatest opportunities for innovation. The more concrete an approach, the less room there is for innovating beyond technology limitations. I believe it is, therefore, at higher levels of abstraction, like zero trust, and security reference architectures, where innovation will continue to thrive and technologies will follow suit.
For example, we already see work being done at The Open Group to create zero trust and security reference architectures that could have any number of implementations. These types of approaches will open doors to new categories of technologies and integrations that may not exist today, and this is the very essence of innovation.
Do you have any tips for implementing zero trust?
The pre-requisites for building a zero trust architecture are to be clear about the business objectives; zero trust will involve change and you need business buy-in for this. It’s also important to educate yourself, as most security paradigms are network-based, whereas zero trust is asset-based. Additionally, identify an important application to the business and start from there; don’t do everything at once.
There are also some ‘non-negotiable’ components of a zero trust architecture, such as automated asset security and explicit trust validation throughout the asset’s lifecycle. Organisations must also recognise that zero trust is a continuously improving security model and not an end state.
Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Centre
How important is zero trust?
If properly implemented, a zero trust strategy removes a class of security issues from the list of potentially exploitable weaknesses in an environment. It accomplishes this through multiple mechanisms, but arguably, the most important is a review of the networking requirements for a given service or application. This review forces teams to ask questions related to how a service is accessed (which ports and protocols), by whom (what authentication mechanisms are required), from where (to differentiate legitimate access from unexpected), and for how long (life span of an authorised connection). The output of this review supports initiatives beyond pure zero trust setups, and can help build configuration validation policy rules to ensure that overall misconfigurations are minimised. After all, if a policy is written that databases shouldn’t be accessible from the internet, it stands to reason that the same policy also states where databases should be accessible.
Do you have any tips for implementing zero trust?
When defining a zero trust network, it’s not sufficient to simply create the network and deploy the applications and services. Monitoring for configuration changes and unexpected access attempts must also be performed. Additionally, any configuration changes implemented as part of a zero trust plan must be fed into the business’s threat modelling efforts and all incident response plans. Cyber security isn’t a practice of absolutes, so zero trust shouldn’t be viewed as a panacea for cyber threats. The threats still exist, and will evolve based on updated industry practices. Without keeping threat management efforts aligned with implementation, there is a real risk that an attacker might exploit a weakness in that zero trust implementation.
Steve Mulhearn, Director of Enhanced Technologies, Fortinet
How important is zero trust?
The sophistication of the cyber threat landscape has extended to sinister new levels of attacks. They are targeting IT and OT devices, and the industrial systems that manages production in segments such as manufacturing, energy, and pharmaceuticals, which have seen an accelerated need for automation due to the pandemic.
As production relies more and more on sophisticated regulation, no sensor, application, or user should by default be allowed to influence the running of any critical infrastructure or process. Due to the precision and speed of production required, any malicious activity can have devastating effects from operations and public safety perspectives. On top that, the rise in remote working has put a spotlight on the limitations of VPNs. Once a user is connected through a VPN client, they’re effectively inside the perimeter and have broad access to the network, exposing it to further threats. This is why a zero trust policy is so important.
Network access by default needs to be set to “closed,” and not “open.” Access rules need to be dynamically refreshed with real-time authentication systems with a least trust model. A user, application, or device should be checked prior to accessing the network and throughout the entire network. And the overall behaviour should be monitored against a machine-learning baseline profile so that if an individual, device or application begins behaving in a suspicious manner, the appropriate actions can be taken, in real-time.
Do you have any tips for implementing zero trust?
The first step in designing a zero trust architecture is to determine who gets access to which resources based on job role and function. On top of that the devices themselves that people are using need to be properly secured. The implementation of an effective zero trust security policy must include secure authentication. Many breaches come from compromised user accounts and passwords, so the use of multifactor authentication is key. Requiring users to provide two or more authentication factors to access an application or other network assets adds an extra layer of security to combat cybersecurity threats.
Adopting type of access management means that if a user account is compromised, cyber adversaries only have access to a restricted subset of corporate assets. It’s similar to network segmentation but on a per-person basis. Users should only be allowed to access those assets that they need for their specific job role.
An all-too-common notion is that implementing a zero trust architecture requires a complete overhaul of an organization’s network. There will certainly be some heavy lifting required, but successful implementation is about having the right framework in place paired with the right tools to execute. It’s a cultural shift, which is often a bigger change than the technology shift. It involves a mindset and a commitment to changing how access is granted and how security is maintained across the organization.
Adrian Taylor, their Zero Trust subject matter expert, A10 Networks
How important is zero trust?
The traditional notion of perimeter security has crumbled in the face of the public cloud, increased mobility, and remote working, and that has never been more the case than during the last 18 months. This leaves businesses with a much wider attack surface, but it has also revealed that even trusted insiders can constitute a cyber threat. 94% of organizations experienced insider data breaches last year. The Zero Trust model recognizes that internal and external threats are pervasive, and implicit trust must, therefore, be eliminated from information technology systems.
A Zero Trust strategy eliminates the traditional network perimeter, limits access, and prioritizes minimum user authorization to protect data, assets, and legacy infrastructure. Under this model, every device, user, network, and application flow should be checked to remove excessive access privileges and other potential threat vectors.
Do you have any tips for implementing zero trust?
Organizations must take a holistic approach to implement Zero Trust and modernize network security.
The move towards a Zero Trust model should be gradual and deliberate. Multi-layered protection should incorporate controls, from:
- Foundational visibility into encrypted traffic streams to stop infiltration from ransomware, malware, and other common attacks
- Application workload protection through segmentation and advanced user authorization and verification
- Sustainable user training in best practices to minimize risky behaviors.
In order to be effective, a Zero Trust strategy requires thoughtful integration into every level of a business, from the IT infrastructure to the daily processes, to staff training. Without attention to detail, businesses could create even more vulnerabilities for malicious actors to exploit.
READ MORE:
- Securing the supply chain: why it’s time for a zero trust approach
- Why every company needs to implement Zero Trust
- Don’t pay the ransom: Rubrik’s Zero Trust Data Management
- The zero trust blindspot
Richard Slater, Head of Managed Services at Amido
How important is zero trust?
Zero trust security models have been gaining in popularity over the last decade, but the rise in hybrid working since the beginning of the pandemic has now meant they should be the central element of any company’s cybersecurity and business continuity strategy. In addition, corporate devices have become more vulnerable due to cybersecurity teams losing their control over employee laptops and the increased adoption of BYOD, which has heightened the risk of data breaches. This means security controls must become more intelligent and require greater safeguards within a company’s applications. By adopting a zero trust model, companies will have increased protection and multiple defences against cybercriminals beyond just the one corporate firewall.
Do you have any tips for implementing zero trust?
Implementing a zero trust security strategy requires a shift in mindset and upskilling staff to use, develop, manage and monitor this decentralised model. Personal devices need to be treated like corporate devices and be clear that every device on a company network can potentially be infected; however, companies must remember to respect the privacy of their employees and avoid overreaching into their personal devices.
Once employees are onboard, security teams must focus on user identity as the cornerstone of a zero trust model. Every user connecting to a company application must be identified, along with attributes that describe that user’s entitlements. For instance, as soon as an employee installs say Outlook, and connects to a company account, it must become enrolled in a device management solution that allows security teams to see compliance information for the device and potentially remote-wipe company data if it is lost. zero trust architecture and thinking will therefore necessitate a shift from coarse-grained identity to fine-grained access management to ensure that users have sufficient access to do their work efficiently, however not excessive permissions that might lead to data loss. Above everything else, when building zero trust models, businesses must ensure that the right thing to do is the easiest thing to do as this principle will drive adoption.
Nigel Phair, Chair of CREST in Australia and Director, Enterprise, of the University of New South Wales
How important is zero trust?
Zero-trust is the new black. It redefines the concept of a traditional IT network. It is important for organisations to aspire to, but like all things in cyber security it needs to be managed through a governance lens. Achieving zero-trust is not a binary outcome, it requires analysis of the risk appetite of the organisation along with acknowledgement of the external drivers, eg sector organisation is part of, any legislative requirements, etc. Like all good cyber security outcomes, it is a maturity-indexed approach with clear project management outcomes and importantly, measurement along the way which will ensure success.
Do you have any tips for implementing zero trust?
It should be implemented via the CFO, since they are the logical custodian of organizational governance. The continuous monitoring and validating of users on a network, whilst being tactically achieved via technical means (eg, connection requests are vetted), is strategically attained via a competent governance framework.
Vats Srivatsan, COO, ColorTokens
How important is zero trust?
As attacks like the Colonial Pipeline and JBS have demonstrated in 2021, the private sector is unprepared for resilient security. Not only are individual companies at risk, these attacks also threaten to disrupt society at large by crippling critical infrastructure, healthcare, utilities or spreading panic.
Given the ever-increasing sophistication in attacks, combined with today’s accelerated transformation, cloud adoption timelines, and the rising bar of cybersecurity regulations, the need for scalable zero trust security that extends to every corner of the network has become undeniable.
Attackers will continue to exploit any weak link they can within the massively interconnected networks of today’s enterprises. Without the protection of a zero trust framework, they can move laterally through networks by taking advantage of trusted processes or access while going undetected for what can be months at a time.
An end-to-end zero trust approach shrinks the attack surface by only allowing the “known-good,” processes and access, spanning all attack vectors in the network, including users, unpatched endpoints, devices, legacy servers, apps, and workloads – for resilient protection from every direction. By implementing zero trust architecture, security teams can eliminate attackers’ leverage and catch a breach before it spreads.
Do you have any tips for implementing zero trust?
Early pioneers of zero trust understood its value as the highest level of security. Still, some struggled with the workload and commitment that came with shifting to a new security posture. Today’s powerful, cloud-based security technology, like the ML-powered Xtended ZeroTrust™ Platform, helps make zero trust a reality for businesses without so much heavy lifting, regardless of the size of their networks or existing security tools. Combined with the fact that companies now realize just how much of their revenues and reputations are at stake, it becomes clear that the time for the implementation of zero trust architecture is now.
Some tips for your zero trust journey:
1. Companies should look at zero trust implementation as a journey to ‘building the zero trust muscle.’
2. Zero trust point solutions can leave businesses with a fragmented security approach as they have a number of disconnected security tools. By choosing a zero trust platform offering, businesses can take an end-to-end, holistic approach to their security with complete context.
3. The best place to start is with understanding the attack surface and exposure with 360-degree visibility into the entirety of the network. Today’s advanced security technologies help businesses achieve this within minutes.
4. With granular visibility, businesses can begin to segment networks in line with their infrastructure. Security technology that enables software-defined micro-segmentation allows for segmentation of a company’s workloads in a data centre or in the cloud.
1. Once environments are segmented, and you can begin rolling out policies to build up your zero trust security posture across cloud workloads, containers, applications, endpoints, servers and users. Sophisticated AI and ML-powered policy engines can make recommendations for you and allow you to test policies in simulation mode so that you can enforce policies with confidence.
5. With the right cloud-delivered platforms that offer end-to-end zero Trust security, I’ve found that many businesses can scale zero trust implementation quickly.
Jon Coates, IT director, Victoria Plum
How important is zero trust?
With the rise and acceleration of cybercrime over recent years, new methodologies are needed and zero trust is going to fast become the ‘new normal’. More remote users than ever are bringing more unknowns into IT infrastructures.
Zero trust is basically giving least privilege a shot in the arm. The premise is that the permissions you have are not sufficient on their own, you also need to meet a certain profile or footprint.
Zero trust questions not only whether an account has access to a particular area of a network but also whether the device is healthy and up to date, whether it is located where you would expect and whether it matches the configuration policy. It’s the cyber equivalent of looking through the window to check the person at the door is who they say they are; if it doesn’t look like them, then it’s not them.
If cybersecurity is keeping you awake at night, zero trust, done correctly, can provide superior resilience to your network security, as well as a much-improved night’s sleep.
Do you have any tips for implementing zero trust?
When implementing zero trust, it’s important to identify high-value users and systems. Whether it be the finance team, super users such as developer and admin accounts or your CRM database should cyber-criminals gain access to these, they are in and you’re out.
The importance of multi-factor authentication can’t be understated but don’t use one-time passcodes. Instead, go a step further. Consider getting your organisation to use notifications that require a fingerprint or face recognition. Doing so will mean access can only be granted to recognised end users.
In order to be successful, educating your employees is also key. There can be resistance when implementing new ways of operating – especially if there is a perception that new methods are more complicated than what came before. For this reason, it’s essential to clearly explain why changes are being made and the benefits these will bring.
Communicating regular security information is important and should be part of your IT team’s workload, you can’t overstate this. It can also be useful to follow this communication with dummy phishing campaigns to identify users who might pose a threat before the cybercriminals do. Stakeholder involvement is crucial, and this needs to come from the top, so make sure you get your CEO on board, too.
Greg Day, VP and Chief Security Officer for Europe, Middle East, Africa at Palo Alto Networks
How important is zero trust?
It is critical as businesses have increasingly digitized and interconnected processes and their resiliency has become key. This is why zero trust has become a core strategic drive. To date, cybersecurity is often based on what type of IT thing is being secured but it is also important to remember where it is. Assumptions, such as they are on the inside of the business network logged in with a genuine account so they must be OK, are made but at which point the assertion is less risky and less secure. As such, zero trust driver one is aligned to cybersecurity controls to risk, not ill-conceived trust assertions.
Covid-19 has changed how we work, we cannot assume anything, as such we can not trust, we need to verify and secure. It doesn’t matter if the user connecting is at home or in the office, both should require the same level of cybersecurity controls. With this comes consistency, which empowers scalability. If you have one set of rules for each key business process from a cybersecurity perspective, that can easily be monitored and enforced, then each business process has more than 10 rules. It becomes impossible to monitor, manage, and enforce. Zero trust driver two is consistency enables scalability, which is key in the fast-evolving and changing digital business world.
Today, too many companies have IT architecture that is flat. Once you are connected you have access to the whole kingdom of information, regulators have been pressuring those that are in this space to evolve. Now, with ever-increasingly digital supply chains and fast growing connections to the cloud, the risk exposure to each business becomes untenable. Key business processes need to be segmented so when an incident occurs exposure is limited, empowering digital operational resiliency. So, the final zero trust driver is to scale resilience. You must be able to segment digital processes to limit risk exposures.
These three drivers empower businesses to regain control of the risks they face, empower the security teams to scale with the growing digital footprint, and ensure they are aligned to the growing resiliency demands. In the world we live in, the stakes for cybersecurity have never been higher. As the zero trust motto goes: “Never trust, always verify”.
Do you have any tips for implementing zero trust?
Zero trust is a strategy, a mindset. So often, people ask me “how long does it take?” That’s the first indicator they haven’t yet grasped zero trust; a strategy doesn’t have a schedule.
Zero trust demands a holistic and consistent approach that is actionable across all key domains. There are a few core building blocks of a zero trust architecture:
- Verify all users, devices, infrastructures, and applications; Always validate the identity of the user, the integrity of the host they are using and the application they seek to access, irrespective of where the user, device, or application may be.
- Apply context-based access: Every access policy decision should take the user, device, and application context into consideration; ensuring consistent security and user experience.
- Secure all content: Ongoing inspection of all content to verify that it is legitimate, safe, and secure, and examine all data transactions to prevent enterprise data loss.
- Continuous monitoring and analysis of all security infrastructure: Check all connections and content for signs of anomalous or malicious activity to help uncover gaps in your implementation and use this data to continuously analyse and fine-tune your policies to improve the security of the system.
Zero Trust requires consistent ongoing visibility. If you can’t identify key digital business processes across your entire ecosystem, how can you define the appropriate and consistent security controls? Security, time and effort must be focused to give the maximum business operational resilience. Companies can no longer base security on what the IT thing is, they must instead focus on what it does, which business processes play a role in delivering.
Anudeep Parhar, Chief Information Officer, Entrust
How important is zero trust?
Zero trust is critical. The majority, if not all cyber events, involve some sort of over-trusted identity-related exploits. Identity can be exploited through various avenues, including compromised secrets, compromised data perimeters and lateral threats. Our recent Global Encryption Trends Study revealed the top three threats to sensitive data are employee mistakes (53%), system or process malfunction (31%) and hackers (29%). In addition, 65% of respondents revealed that they didn’t fully know where sensitive data resides in their organization. With these examples in mind, Zero trust is the only way to truly protect identity within an organization.
Do you have any tips for implementing zero trust?
There are three stages to implementing zero trust in an organization:
1. Immediate: Enhance your organization’s digital security hygiene by (micro)segmenting your network, implementing Multi-Factor Authentication (MFA) at every point of entry, use certificates for authentication and use hardware-based Root of Trust (RoT) for critical encryption, including cryptographic keys.
2. Short-mid term: Discover/Inventory your crypto real estate. Externalize secrets, such as digital authentication credentials from applications and streamline your access/authentication policy across the organization.
3. Mid-long term: Implement role-based dynamic credentials (no pre-issues credentials), real-time access/authentication policy enforcement based on user behavior analytics.
Rashid Ali, Enterprise Solutions Manager at leading cybersecurity company WALLIX
How important is zero trust?
As naming goes, zero trust is what it says on the tin. No one is trusted implicitly when it comes to identity, access and data. With privilege abuse and misuse becoming the top cause of financially motivated security incidents based on the latest Verizon Data Breach Investigations Report, zero trust has become an essential tool for companies looking to have greater visibility and control over their IT network. That’s why it is crucial to implement a security scheme that requires users to prove who they are and to prove that they have both the need and authorization to access sensitive resources before entry is granted. This can be easily facilitated through a single connection by adopting a Privileged Access Management solution. Here, applying a zero trust model will enable organizations to take the key steps in achieving this.
With a privileged access management platform that follows the zero Trust model, organizations will not only be able to verify access based on the user, but security can also be bolstered also taking into consideration other requirements such as the time of day and location of the user, flagging any red herrings. This allows organizations to create their own filters, giving employees the freedom to continue working, with access to the data they need, when they need it, but under an added security net.
By doing so, organizations will be able to combat the threat of both external and insider threats. This safeguards the business from financial and reputational damage and gives employees peace of mind to continue to work freely and productively.
Do you have any tips for implementing zero trust?
As we continue to move into an ever-increasing hybrid world, we will see more employees working remotely from personal devices, through VPNs or from home and public Wi-Fi. The challenge is that this brings new risks and growing challenges when it comes to security and companies should not forget about the real human factor.
Most accounts are only protected with a simple password created by the employee. What’s worrying, most of them tend too often to choose weak or predictable passwords that make it all too easy for attackers to take advantage, gain entry or move around the company’s network.
While implementing a zero trust approach can reduce the risk, we also need to combine this with efficient training, increased security awareness and the motivation to build a good cybersecurity etiquette within the organization. Many employees may see extra security measures as a trade-off between ease of use and what is secure, but if businesses invest in a positive user experience and cyber training, we can ensure employees across every level are embracing a more secure approach.
Zeki Turedi, CTO, EMEA at Crowdstrike
How important is zero trust?
Simply put, there is too much trust. In networks where everything is trusted by default, at least internally, all it takes is one breach into the system and the whole organization is at risk. A number of substantial data breaches in recent memory were the result of hackers who, once past the corporate firewalls, were able to move through internal systems unobstructed. With the average breakout time placed at 1 hour and 32 minutes, being able to quickly identify and contain breaches is essential to any cyber strategy. While the 1-10-60 rule, whereby breaches are identified in 1 minute, investigated in 10 and remediated in 60, may be ambitious for organizations used to measure response times in days, zero trust philosophy gives a distinct advantage in response time.
Do you have any tips for implementing zero trust?
While leveraging a zero trust model goes a long way in addressing security issues, implementing it is a different issue entirely. This may be surprising considering how many of the technologies associated with this model are already seeing common use amongst enterprises: multi-factor authentication (MFA), identity and access management (IAM) and micro-segmentation, to name a few. Despite this, further investment is needed to realize the two-part goal of (1) identifying users and devices and (2) determining whether they should be granted permissions. Organizations also need to consider granular enforcement based on users, locations and other data as well as: orchestration, analytics, governance policies, encryption, scoring and file system permissions.
Under a zero trust model, organisations need to enforce policy-based controls each time a user requests access. The network needs total visibility into all the users and devices across the corporate environment. Ideally, the security team receives all the information they can glean from reports and alerts, the better to both detect and respond to threats. That is where automation can assist the human security team in melding with their technological defences. Leveraging the cloud, and layering machine learning and AI tools on top, can help a security team react much faster to threats, investigating and disregarding false positives. They are also able to commit to strong SLAs around detection, investigation, and remediation of threats, and better service their internal customers.
While the technologies supporting the zero trust model are integral, the hardest part of implementing the strategy can be a philosophical one. Most IT experts have been trained with ‘trust but verify’ in mind. What this means in practice is that most trust their environments by default. Rectifying this requires a change in mindset as much as it does a change in technologies. In other words, more is required to implement zero trust than just using the right technology – there needs to be a fundamental change in thinking.
Bryan Patton, Principal Solutions Consultant at Quest
How important is zero trust?
Zero trust is crucial for all organizations, as it can not only help strengthen security practices, but can significantly reduce the disruption, financial, reputational, and regulatory impact of a data breach. While zero trust approaches still recognize the importance of creating a strong perimeter, they assume that breaches will be inevitable and therefore act in the same way that a second line of defence would – it can be the difference between suffering a limited hack with insignificant damage, virus a major incident that could cripple your business.
However, it is not a new set of technologies coming to market, and neither is it a magic bullet. Zero trust is actually a security model that builds upon a long history of security practices – focusing on authorization, identity, and data integrity. It is not an iron-clad guarantee that organizations with a zero trust approach won’t ever suffer a serious incident, but with every step that businesses take in their zero trust journey, it reduces the risk of data breaches, downtime and compliance failures. With a zero trust mindset, businesses can start to develop a more comprehensive security approach, closing those security gaps and building a solid security strategy for the future.
Do you have any tips for implementing zero trust
It’s essential to understand that zero trust, like any security model, isn’t something you implement and check off your list, like painting your kitchen. Instead, it’s more like maintaining and improving your home — an ongoing process that involves a wide range of processes and technologies.
However, there are proven frameworks available that can help gives businesses a head start. As an example, Microsoft’s rapid modernization plan (RAMP) is designed to help you quickly adopt its recommended privileged access strategy. The goal is to apply the principle of least privilege to every access decision, allowing or denying access to resources based on the combination of multiple contextual factors, and not just a single earlier authentication. To provide maximum benefit, zero trust principles must permeate most aspects of the IT ecosystem.
David Cummins, Vice President of EMEA Tenable
How important is zero trust?
The increasing threat and severity of cyberattacks have been well documented with governments, businesses and even civilians all questioning how safe their personal information is. More recently, this concern has intensified as we’ve seen threat actors target the very infrastructure that underpins our lives – from water purification plants, oil refineries, medical facilities and transportation systems, nothing is off-limits. With defences falling, we need a new approach to cybersecurity practices.
When we think of traditional network security, the premise is to fortify the perimeter. The aim is to prevent threats outside of the network from getting in. The downside is that, once users – or bad actors – clear the perimeter, they are free to move about the network, taking whatever they find with them as they leave.
In addition, the transformative impact of COVID-19 has not just expanded the network perimeter but eradicated it. A recent study conducted by Forrester Consulting on Tenable found that 70% of UK organizations currently have employees working remotely, compared to 31% prior to the pandemic, and 86% plan to adopt a remote working policy moving forwards permanently. This means a hybrid worker could be in the corporate office one day, and the next they’re connecting remotely via home routers or WiFi hotspots. The new world of work has shattered the corporate network, forcing a move away from perimeter-based security architectures.
Traditional perimeter security simply isn’t enough to protect multiple environments against today’s cybercriminals. Instead, security needs to adopt a model in which nothing – no device, person, or action – is inherently trusted.
With a zero trust model, security is woven throughout the network – with users, endpoints, applications, and files on the network and in the cloud monitored and authenticated at every access point.
But there’s a huge misconception that zero trust is a ‘thing’ that can be purchased and implemented as a one-time exercise to create a secure environment. Zero trust is a philosophy. It’s a journey that doesn’t have an end.
Do you have any tips for implementing zero trust?
For cybersecurity leaders, preparing for a zero trust journey is less an exercise in evaluating technologies and more an exercise in strategic thinking, requiring you to answer fundamental questions such as:
● What is your organization’s core mission or value proposition?
● What are the workflows required to fulfil that mission?
● Who owns those workflows?
● How does data flow in the organization?
● Which are your high-value assets, the so-called “keys to the kingdom”?
● How does the organization determine who is granted access to these high-value assets?
● How often does the organization audit user permissions once they are set?
● How will you design a “protect surface” to secure your most critical assets?
Answering these questions requires full visibility and continuous monitoring of the entire attack surface, including IT, internet of things and operational technology assets, and the ability to assess the criticality of each asset to deliver on the organization’s core mission.
No zero trust journey can begin without first addressing these fundamentals of cyber hygiene.
Milad Aslaner, Senior Director, Cyber Defence & Public Affairs, SentinelOne
How important is Zero-Trust?
Like the Colonial Pipeline attack where bad actors managed to shut down one of the largest oil pipelines in the US, eecent cyberattacks have further accelerated the move for many organizations from perimeter-based to zero trust models. Zero trust is a fundamental conceptual change, where before we assumed that anything inside our enterprise could be trusted, we now assume that everything is breached unless proven otherwise.
Do you have any tips for implementing zero trust?
As businesses move from a legacy to a zero trust security model, they look for best practices and guidelines on achieving it as quickly as possible, but changing the security model of an organization isn’t achieved overnight. The journey is a marathon, not a sprint.
For zero trust to be effective, it is key to put considerable time and effort into defining the data, application, assets, and services that you’re trying to protect – whether that’s user information, financial details, business information or assets – and mapping transaction flows, tracking the way people are trafficked through a network.
Knowing who has high-level access to your network helps to ensure your access controls can be maintained. A good rule of thumb is to provide just enough access to a system. After all, the fewer accounts you operate through, the less you need to monitor.
Always ensure you have visibility into who should have access to what and never allow anyone default access to any part of your system. This lack of default access can become one of the main strengths of zero trust.
A final recommendation is to promulgate the zero trust mentality outside of the network design itself. Zero trust, and why it is important, is something all employees with system access should be made aware of. This helps users to be mindful when accessing the network, and can make the job of monitoring it far easier.
By Andy Harcup, Senior Director, Gigamon
How important is Zero-Trust?
The mounting demand to digitally transform as organizations embrace hybrid working has left IT professionals with a challenge to keep control of their cybersecurity strategy. However, implementing a zero trust architecture is a great place to start. Remote working and Bring Your Own Device (BYOD) policies have introduced significant risks to company intranets, as hackers can compromise a remote, unsecured asset and move laterally into the ‘safe’ internal system. This can result in fast-moving and highly detrimental security breaches. A zero trust strategy eradicates the implicit trust often given to internal users and instead recognizes that all data should be authenticated. By introducing a zero trust framework, IT teams can proactively monitor threats and counter-attacks across their networks, decreasing the risks within a hybrid workforce set-up.
Zero trust is vital for bolstering the defence strategy and ensuring business processes run smoothly. According to Gigamon research, 87% of IT teams believe productivity has increased since the start of their Zero Trust journey, due to their systems running faster and fewer security breaches. The pandemic has left enterprises vulnerable by their own admission and zero trust architecture is now seen as a strong contender to help corporations address this issue.
Do you have any tips for implementing zero trust?
Network visibility is integral to a zero trust framework. It is impossible to manage or monitor threats in a ‘clouded’ environment and increased observability is vital for IT professionals looking to understand their data better, authorize what is safe and protect against what is not. Having full visibility of IT infrastructure and the data involved will become the glue that holds together the Zero Trust framework and allows the detection of undesirable behaviours and the analysis of metadata to explain the origin and movement of a cyberattack and ultimately keep an organization secure. From there, SecOps teams can make important decisions around security policies being adapted to better fit the evolving working environment and the increasingly sophisticated threatscape.
For more news from Top Business Tech, don’t forget to subscribe to our daily bulletin!