By Jerry Hoff
For many security professionals, the idea of Zero Trust can be quite daunting. It assumes that everything – every asset, device, data flow and user–could be fraudulent, potentially marking the beginning of an attack, until enough evidence to the contrary is offered. Even then, authentication or privileges can be automatically revoked as new data is continually collected. It starts with a relentless position on authentication and access control, which is what security professionals have long advocated for.
From a purely defensive position, this approach is correct. But for a multinational enterprise, this tactic can be difficult to implement across every business unit and every system, especially as assets cross geographical and vertical boundaries. This requires CISOs to adopt a pragmatic leadership style, one that allows for alternative approaches where necessary.
As we know, insisting that a line-of-business executive implement something that they view as interfering with company revenue is often a losing argument. Hence, CISOs must often compromise. And in an enterprise security initiative, compromise sometimes means implementing compensating controls opposed to the originally envisioned primary security controls.
For Zero Trust to be implemented smoothly, it must be coordinated among many groups within the enterprise. Including, for example, recently acquired companies which may have entirely different IT and security infrastructures and landscapes. Ideally, security should be executed identically across an enterprise, but realistically, the final result is a product of evaluation and negotiation for each non-standard situation. This is where the “more of an art than science” and business-oriented side of security is key.
Given the large number of enterprise security operations that will attempt to start a Zero Trust program in 2022, this is not an academic issue. For many organizations, step one in this process is creating a formal Zero Trust working group.
A Zero Trust working group
One challenge with creating a Zero Trust working group is prioritization. On the one hand, you want to be sure to include from the jump everyone who will play any kind of role in that group; which can be a lot of people, even if some are there solely in observer mode. On the other hand, too many people in that working group could simply make it too difficult for everyone to have their say. Murphy’s Law is very much at play here: the representatives who choose to not say much because the group is too large will invariably be the people you most need/want to hear from.
Unfortunately, there is no objective ideal number of participants because enterprises are varied and have such different needs. For starters, seek to engage corporate planning, legal, privacy, CIOs, CISOs, global CFOs, and perhaps HR and compliance teams. The tricky part is determining how to engage as many business unit executives as needed. Additionally – and potentially more viably – designate someone on the call to take detailed notes and ensure those notes get to every business unit leader. Maybe even have someone personally follow-up with each of those business unit chiefs to make sure that they read and understood the decisions and implications on their departments and existing processes.
To state the obvious, it’s a lot easier for all if Zero Trust obstacles are identified as early in the process as possible–rather than only discovering those hiccups as the program is rolling out.
Zero Trust is more complex than it appears
It’s important not to gloss over the complexity of Zero Trust. Yes, it will improve security by orders of magnitude, clean up privilege issues (especially by removing remaining yet no longer needed privileges for individuals who have changed roles) and create a far better platform for future changes. But doing so will require changing many processes and potentially overhauling how access is administered. Your users and their managers must fully understand the differences and expectations within the new environment.
It is at this phase, where blocking issues will be discovered. If there is an issue, multiple teams must figure out an acceptable secondary process. The process and compensating control have to satisfy both the CISO’s office for security and the LOB’s team for operations.
For example, special environments can cause security to rethink a set of global requirements. A manufacturing environment may include many specialized machines that run Windows, yet cannot be patched or will not allow the installation of any third-party software including security agents. In this case, compensating controls can be selected and approved through discussions and agreement between security and the business side.
It is only through collaboration, negotiation, and compensating controls can an organization achieve its ultimate vision. Security begins with extensive communication by all parties. Though security professionals are sometimes labeled as the “department of no,” a collaborative attitude is invaluable in order to achieve the goal of Zero Trust.
To learn more about NTT’s Security solutions, please visit us here.