By Jerry Hoff
Given the continuing enterprise security landscape changes since early 2020, such as massively increased remote workforces and the ongoing push towards cloud-based services and infrastructure, many enterprise executives are rethinking and rearchitecting their enterprises to meet these challenges. Remote work is now generally accepted as a permanent fixture, therefore, 2022 will require very different cybersecurity defenses to match the nature of new threats and what needs to be protected. That said, many enterprises are asking themselves how to move to the next level of security and how do they prepare their environments for so many major changes? A major part of the answer for many organizations is Zero Trust.
Implementing Zero Trust is no simple task. The best way to start preparing is to decide what capabilities you want/need to add, what capabilities you need to merely enhance and how to make sure that this data is accessible to everyone with privileges as effortlessly and securely as is practical.
Here are five things to consider as preparatory steps in this journey.
1—Standardize on Zero Trust, define Zero Trust, select Zero Trust
Embracing Zero Trust is quite popular today, but Zero Trust is closer to a philosophy, or a mindset, more than anything else. Different enterprises will implement a Zero Trust approach differently, given their particular threat landscapes, the nature of their business, geographies, verticals, where they expect to be in 18 months, compliance obligations, customers and dozens of other variables.
But all enterprise Zero Trust deployments will have very strong authentication as the centerpiece security control. Strong authentication goes very far beyond past security advice such as long passwords, but should be an ongoing process involving behavioral analytics, biometrics, location, more secure MFA and ultimately evolving into a password-less and PIN-less world entirely. It means watching all users all-the-time throughout all sessions, so hello continuous authentication and ultimately Machine Learning to figure out when a new behavior is likely malicious.
Once that enterprise CISOs figure out the best high-level Zero Trust definition for their enterprise, senior management, LOB management and IT must be on-board, along with a group commitment to implementation. Ideally, all participants must internalize the implications of this new security reality. Zero Trust will change the way systems are budgeted, designed and deployed, and all levels of the business must coordinate to achieve the desired results.
Zero Trust is truly a fundamental component with regards to secure by design—key to reducing risk in the area of authentication and access control. Eventually, it will likely reduce the complexity of manual security operations, automating much in the area of authentication and access control, and far better security. And that in turn will make compliance easier, especially if the same approach to Zero Trust is executed consistently across the global enterprise environment.
Realistically, though, let’s not minimize that Zero Trust is going to require big changes in how applications and systems are scoped, architected, built, operated and maintained. This includes on-prem, legacy apps and homegrown apps (including those inherited from a myriad of acquisitions over the life of the enterprise). For some enterprises, it delivers a nice bonus in the form of reduced licensing fees, as redundant apps are discovered and eliminated.
Zero Trust will also likely force new strategies for how data is handled by mobile devices, IoT and IIoT, as well as data exchanged with partners and customers globally.
2—Identify and leverage existing Zero Trust capabilities
Consider some good news. There are almost certainly some Zero Trust capabilities already baked into the security and IT infrastructure of most enterprises. The trick is identifying these existing Zero Trust required security capabilities and determining if that accounted for and added to your planned Zero Trust deployment.
Zero Trust doesn’t typically require a complete change of security controls, given that you may already have some of the key elements in place. For example, many modern cloud environments, such as Microsoft Azure, were built with Zero Trust in mind. But it will almost certainly need a rebalancing of security controls. Identity/IAM, for instance, typically takes on a vastly larger importance with a Zero Trust approach. Tasks/responsibilities may have to be rebalanced between Security and IT.
Although a gap assessment is common in these situations, a better approach might be to conduct a reverse gap assessment, meaning that the CISO’s team will identify all existing Zero Trust functionalities.
3—Stop “lift and shift” of legacy applications and servers into the cloud
Enterprises have for decades been shifting more to the cloud every year, a pattern that sharply accelerated with the onset of COVID around March 2020. For many companies, a serious move to Zero Trust could accelerate that shift even more.
Fact: cloud environments are almost always very different than an enterprise’s on-prem environment, which means the wholesale movement of apps from the traditional data center to a cloud environment– without a review to see if it can or should be rearchitected to be more “cloud native”–can delay or stymie Zero Trust implementation. Taking data center server images and simply moving them to the cloud, sometimes called “lift-and-shift,” misses an opportunity to take advantage of the inherent security controls integrated into the major cloud platforms. This is particularly problematic for legacy apps and homegrown apps, as they were never designed to exist in a different environment.
If possible, take the time to review systems and determine if they can be reconfigured to take advantage of cloud-native security architecture and security controls. That’s why Zero Trust may require a redesign of the authentication mechanism for existing applications. By simply moving traditional servers to the cloud seeking cost savings, you may be losing out on an opportunity to redesign, reevaluate and perhaps rearchitect for a Zero Trust environment.
4—Evaluate interconnectivity of tools, instead of individual functionality
This is a key area and it’s an excellent example of how existing security control design needs to be explored in a Zero Trust environment. Individual point solutions that operate independent of one another are usually no longer sufficient. Authentication controls and processes, for example, need to take advantage of device information, anti-malware information, and so on. Authentication may be allowed only in conjunction with this data, and correspondingly may be revoked or limited based on data from these security controls after authentication has originally been granted.
When the new goal is to allow secure and effortless–we should emphasize effortless, as in a lack of friction–should flow of all data through all devices, data assets and between all users, partners, consultants, and customers. In short, the strategy needs to protect, track, analyze, store, and watch every dataflow from and to anyone or anything with access privileges.
The ability for all security tools to communicate with each other becomes essential, as opposed to today when it’s often considered a nice-to-have. Identity and Access Management (IdAM) may need to communicate with SASE, etc. The interconnectivity of tools now needs to become a top-level buying criteria.
If you don’t want security tools lacking recognition and awareness of other tools, communication between them all has to be a priority. If you don’t want a rash of false negatives and false positives as a result of this lack of communication, this needs to be a factor.
5—Don’t try to buy your way to Zero Trust
There are plenty of vendors that are more than willing to sell all manner of products with the implicit or (sometimes) explicit promise that these purchases will automagically deliver a Zero Trust environment. Sadly, as we all know, it’s simply not that easy.
Buying tools as an initial action without a review of existing controls, infrastructure, needs, and a coherent plan is almost guaranteed to fail, and usually results in shelf-ware and lost time. Focus and understand fully how IdAM is currently used, understand how IdAM is used in a Zero Trust environment and use that as a starting point.
Start by understanding what you already have and move to leverage those resources. Finally, figure out what you don’t have, and what is truly needed. Evaluate various cloud vendors and figure out what they have. Conduct a reverse gap assessment and figure out what’s still missing. Then, and only then, are you ready to talk with those vendors.
Embracing a true Zero Trust approach is going to deliver a much more secure and efficient enterprise landscape. But it won’t happen until the proper preparations are made. The benefits that lie ahead are more than worth the effort.
To learn more about NTT Ltd.’s security capabilities, please visit us here.