Lessons from the Zero Trust journeys across enterprises that can help you better approach your own, while avoiding common mistakes!
The black swan event of 2020 and its rampage across the globe compelled organizations to take wide-ranging measures to keep their operations afloat, which essentially begun with enabling remote working for a significant part of their employees.
While the COVID-19 pandemic brought significant challenges for businesses, ranging from real-time decision-making, managing erratic customer expectations, and sustaining workforce productivity, the most concerning aspect businesses had to deal with were the growing instances of sophisticated information security attacks.
Over the last twelve months, increased uptake of cloud workloads and data proliferation from many endpoints has put unprecedented pressure on IT managers and CIOs. Identifying new ways to protect corporate ecosystems from multiple unknown devices and unsupervised users is an area of growing interest for all information technology and security leaders.
This dramatic shift has suddenly enthused the spotlight on zero-trust architecture to address evolving security threats, besides generating additional efficiencies for an organization.
Conceptually, the zero-trust approach provides many benefits which are not available in other traditional network security models. However, many cybersecurity experts’ lack of understanding and knowledge has often caused zero-trust implementations an extensive process, making it challenging for tech-honchos to achieve desired operational gains.
Zero-trust primarily tries to address the lateral movement, eliminating the difference between inside and outside network access. For most of the experts, it’s a good framework within an organization. But the main challenge witnessed by organizations is to tackle the valid concerns and find the correct answer to the right question.
In this month’s cover story, we focus on many of these aspects and the key actions that can enable organizations to get the most out of the zero-trust implementations at a breakneck speed!
Start with a vision and organizational goals
Forrester Research developed the Zero Trust approach in 2010. This is essentially a cybersecurity framework based on the premise that no organizational network (external or internal) is secure and cannot be fully trusted. By incorporating a set of technologies and practices, zero trust focuses on establishing adequate access and rights at each data flow and consumption step.
First and foremost, an organization needs to understand why they want to implement zero-trust – if it is only about the lateral movement or stopping the lateral direction. It is recommended to deploy controls or enforce the security measures as close to the organizational asset.
Secondly, implementing a zero-trust model need strong authentication mechanisms, whether an organizational infrastructure is on promises or in the cloud.
Before embarking on the zero-trust journey, organizations must reach a significant maturity level on the authentication front.
Archie Jackson, Senior Director, (Head - IT & Security, Incedo, recommends that as an initial step, the focus should be expanded on legacy systems, tools, and procedures that may have left unprotected conventionally.
It becomes paramount to continuously classify and segment all areas on the stretched enterprise network in zero-trust, which cybercriminals can leverage to launch their attacks.
“While zero trust is a route to an improved cybersecurity posture however CIOs & CISOs must not forget the fact that eventually, it is to serve the business and therefore a ‘trust none, block all’ approach is not practical enough. This is applicable in segments, and that segmentation may be based on data classification,” Jackson elucidates.
For any organization, moving to a complete zero-trust architecture is a time-consuming process that requires careful planning with their security and networking teams. Several vendors have demonstrated their standalone security products as an unreliable complete solution in many past cases, amplifying the erroneous perception of zero-trust.
“Authorization is arguably the most critical part of your journey towards the zero-trust network, and hence decisions related to this should be taken after a rigorous evaluation. There can be multiple databases and enabling systems that play a crucial role in affecting those decisions. For example, before re-engineering your IT security strategy, it is essential to ponder whether you already have authorized mechanisms such as Radius, to ensure that the network can be accessed only by the sanctioned identities and devices,” says Chandresh Dedhia, Head of IT, Ascent Wellness Pharma.
Evaluate your infrastructure carefully
The comprehensive workforce security framework’s objective is to ensure devices and users’ confidence across the user’s network. Zero-trust focuses on the authentication of each access and treats access for all users as an unreliable network. It focuses on ongoing trust assessment to permit or deny future network access to identified users or accounts.
It is possible to add safety dimensions to existing applications in many instances, and it is not necessary to completely overhaul their infrastructure. However, organizations that are heavily skewed towards legacy applications often fail to integrate with zero trust architecture or face deficiency of authentication methods within their ecosystem. In such cases, enterprises keen for zero trust implementation have an alternative to replace these applications, albeit with a cost that can be significant.
“Today’s business work on the expectations of ‘block none, secure all.’ Zero trust architecture also requires upgradation from traditional infrastructure and needs to be aligned to work with all business applications. Every company and business implement different technologies based on their unique needs. The same size does not fit all,” outlines Archie Jackson.
“In zero trust, the technology leaders must focus on Secure Access Service Edge (SASE) and handpick the components as required. Most importantly, it is recommended to determine the effort and cost required before embarking on any technology journey,” Jackson adds.
Different organizations can be at a different maturity level and readiness to adopt zero-trust models. Therefore, companies must carry out a detailed self-assessment of the importance of zero-trust in their organization.
“During the COVID era, we implemented many security steps, and awareness drives not only at application/network level but at an end-user level too. One should keep in mind that end-user awareness and proactiveness are key to be safe. Finally, they are the last mile security credential bearer,” says Dhiraj Sinha, AVP - Technology, BARC India.
We made DNS level security improvements, creating two different layers of firewall controls and separate firewall control for end-users. Besides, we also implemented MDM, DLP, PIM, NGAV, and 256-bit encryption at each transaction level,” Sinha adds.
Analyze the inhouse capabilities
A zero trust framework is essentially a cybersecurity approach based on the principle that nothing in any organizational network (external or internal) is secure and can be fully trusted. It recommends putting adequate controls of access and rights at every step of the data stream and consumption.
If your zero trust architecture needs, for example, ten algorithms to support and you supply only two algorithms, you will not get the desired results of zero trust implementation. It is important to recall that zero trust is not a standalone tool or product. It is an evolving process which success hugely depends on the amalgamation of various prevailing technologies and governance processes to secure the IT infrastructure. Capturing information from where the access request is originating, what data they are accessing in real-time is essential for successful zero-trust implementations.
Organizations should either have this capability developed in-house or check with their solution partner to integrate this crucial aspect into the third-party security tools they are using.
“Organizations need to be vigilant of their business goals in the areas of trust and resilience. The key to successful zero trust implementation is taking an intelligent approach that enables businesses to capitalize and leverage the distinct advantages offered by people, processes, and technologies,” recommends Yask, Chief Information Security Officer, IOCL.
Yask also adds that a one-size-fits-all approach is ineffective. Organizations should map their information flow processes across different IT assets, applications, users, and entities to determine corrective actions that they need at various junctures.
Micro-segmentation is another essential component of zero-trust that minimizes the impact of a probable attack by creating perimeters. It is based on network behavioral analysis, cyber posture, end-user analysis, among several
Against this backdrop, an organization need not be swayed by buzzwords or jargon. They should have (or through their partners) remote monitoring capabilities, compliance, and intelligent data analysis tools to ensure survival and transformation.
Build an effective change management plan
One of the major bottlenecks that prevents organizations from achieving desired success from the zero-cost implementation is the lack of an effective change management plan. For successful execution of zero-trust architecture, an organization needs to leap forward in terms of culture and processes.
The zero trust concept has been around since 2010; however, it has only seen broad deliberations recently, after the pandemic. With business disruption at an all-time high, many organizations have immediately rushed to transform their security programs to adapt to a post-COVID-19 business landscape. In many cases, it resulted in hasty deployments without a focused change management strategy.
“First and foremost, people and processes must be straightforward and streamlined, and wherever difficult to streamline, use technology. For any organization, security should be embedded by design and not as icing on a cake. For every company, for every business, the architecture and technologies are different. The exact size does not fit all,” states Archie Jackson.
As enterprises look to firm up their cybersecurity posture by deploying third-party solutions, they must train their existing employees with changes they plan to implement and evaluate new employees on security concepts. IT teams must provide necessary training to all employees concerning the best practices around handling organizational data through well-organized knowledge-sharing activities and a resource library.
Agrees Rajesh Aggarwal, Head of IT at Aamor Inox, “In today’s digital workspace landscape, people who accessed your systems and provided with necessary controls play a pivotal role in enabling your organization to achieve robust security controls. Before you fully implement any intelligent, risk-based engine to detect threats, you need to ensure that your people are well-informed about the security objectives that you intend to pursue as an organization. Even in authenticating visitors, a well-placed zero trust plan should include escorting visitors to the specified place for a definite amount of time.
A change management plan varies for new companies that are just expanding their cloud-based services compared to traditional companies with legacy infrastructure.
“At BARC, we have different challenges. We ensure our systems should be accessed by the right people at the right time only, which we control through tools. This ensures no single data leakage for our organization,” shares Mahendra K Upadhyay, Chief Information/Technology Officer at BARC India.
For developing forward-looking security architectures, businesses need to ensure that they are making their technical and non-technical users aware of zero trust implementation to avoid any later stage resistance.
“It’s the responsibility of users to ensure and make workplace and information secure. Logging and control mechanisms ensure all the data access is recorded properly on time bond method. You are secure till you are not breached, so be alert every moment, every access, every permission, despite so many controls are in place. Still, we are looking for more security products/protocols that give us a more secure framework with an ever-changing digital world,” Upadhyay adds.
Create a proof of concept (PoC)
Finally, before introducing various processes and zero-trust tools to the scoreboard, IT decision-makers should run a small PoC of cases.
The PoC will enable a zero-trust aspirant to have clarity on the way forward. It will allow the organization to test the framework in real-time, integrate the necessary data, and get a comprehensive overview of the live environment. Needless to say, that setting up a conducive zero trust framework encompasses the right technology partner, automated controls and mechanisms to identify and stop threats, data discovery, and robust analytics.
Ensure beforehand that the business is ready to invest money, time, and resources in the required facilities and skillsets.