Loading...
Lessons from the front lines
Read insights from thought leaders and success stories from leading organizations.
Zero trust mindset enables digital growth
Like many global pharmaceutical companies, Takeda Pharmaceuticals supports better patient outcomes by innovating and collaborating across a diverse group of internal and external stakeholders—including, in its case, more than 52,000 employees and thousands of research partners, logistics partners, and other third-party service providers as well as patients, physicians, and other health care providers.Zero trust mindset enables digital growth
Like many global pharmaceutical companies, Takeda Pharmaceuticals supports better patient outcomes by innovating and collaborating across a diverse group of internal and external stakeholders—including, in its case, more than 52,000 employees and thousands
of research partners, logistics partners, and other third-party service providers as well as patients, physicians, and other health care providers. The ongoing need to extend access to applications and systems
to its broad external ecosystem spurred the Tokyo-based pharmaceutical giant to begin a journey toward a zero trust-based security architecture.
“We
realized that the demarcation between internal and external was no longer relevant or scalable,” says chief information security officer (CISO) Mike Towers. “The zero trust mindset—assuming that every request
to connect is coming from an unknown access device on the internet that can’t be predicted or controlled—is a much better way to move forward.”5
Previously, access to an internal application would require granting access to the Takeda network, which inherently enabled access to a number of additional, unrelated services. “We could have tried to manually
manage and restrict this additional system access, but, invariably, things will be missed over time,” says Scott Sheahen, global head of information risk management. “With the zero trust approach, we eliminate
superfluous system access and thereby reduce the avenues that could be exploited in a future cyberattack. Now we have granular, policy-based controls so that people have access only to needed resources.”
This approach provides users with a more efficient way of navigating Takeda’s complex technology environment—a mix of cloud-based applications and services and legacy systems residing on internal servers
and in data centers—and eliminates the difficulty of accessing systems via multiple firewalls and VPNs. The transition to zero trust, well underway before COVID-19 struck, helped the company securely manage
the sudden shift of its global workforce to a work-from-home model. “Our China workforce, the first affected by the pandemic, had less experience and comfort with work-from-home, so it was really important
for us to get it right,” Towers says. “By having shifted to zero trust-based access, we were able to aggressively and quickly move China to the work-from-home model.”
Setting clear expectations with
business partners is critical during the transition, says Thomas Likas, global head of security architecture and engineering. He recommends that security and IT organizations planning a zero trust migration
engage with business partners from the beginning of the journey. “The business—not IT—has the best understanding of how people access and use their applications,” he says. “In the zero trust world, the business
will need to determine who should have access to their systems and data.”
Indeed, Likas continues, “this knowledge needs to be baked into the access model from the very beginning. To business partners,
this might seem like a lot of work, but as a bonus, the organization gets a solid understanding of their application landscape.”
Towers believes that once leaders understand the numerous benefits,
most companies will inevitably adopt the zero trust mindset. “Frankly,” he says, “I don't think that businesses can digitally or technologically scale in any other way.”
Zero trust secures the “new perimeter”
A zero trust approach is helping Halliburton, a global provider of products and services to the energy industry, meet its strategic business goals and objectives.Zero trust secures the “new perimeter”
A zero trust approach is helping Halliburton, a global provider of products and services to the energy industry, meet its strategic business goals and objectives. Several years ago, as part of a drive to be more operationally efficient, the company began
adopting cloud, mobile, and Industrial Internet of Things platforms to reduce costs and improve productivity. At the same time, Halliburton’s vendors and suppliers began pushing their products and services
to the cloud. “With the dispersion of our computing resources from the data center to the internet, we realized that our traditional network perimeters were dissolving,” says Mary Rose Martinez, CISO and
senior director for IT architecture.6 “This impelled us to develop a zero trust
strategy.”
Halliburton’s zero trust approach revolves around securing people, network connections, and data. “We are moving toward a reality where it doesn’t really matter if employees are on the network or
not,” Martinez says. “The new perimeter is identity, whether user identity, endpoint device identity, or service identity.”
When Halliburton began its zero trust journey about two years ago, it focused
first on securing mobile devices through multifactor authentication—using identity credentials, an authenticator, and registered devices. Soon after, the company migrated to cloud-based identity providers
to further secure its people. Over time, the number of applications accessible without using a VPN continues to grow. A longtime adopter of the principle of least privilege, data encryption, and other data
controls, the company is also working to enhance the classification and protection of unstructured data.
The more granular security controls that are part of Halliburton’s zero trust approach have
created a more disciplined security posture. Because it controls user devices and endpoints, the company can push policies to any device via the internet. And because VPN access isn’t required for the zero
trust-enabled applications, employees have a considerably improved user experience.
Martinez is quick to emphasize that zero trust is not only a technology initiative—it is also a people initiative.
For example, whether Halliburton employees are on the company network or the internet, in the office or at home, they receive a verification prompt before accessing applications protected by multifactor
authentication. This workflow change required education and awareness. And it is incumbent on users to guard their credentials and devices. “Raising security awareness has to be part and parcel of the zero
trust approach,” Martinez says. “An ongoing education program that includes increasingly sophisticated phishing simulations can help people become more aware.”
Halliburton’s adoption of zero trust
is an ongoing journey, with many components that are constantly moving and changing shape. “Because of the fluid nature of technological advancements, the end state will probably always be a moving target,”
Martinez says. “But we’ve laid a foundation that’s both solid and adaptable, and upon which we can continue to build over time.”
Lessons from the front lines
Read insights from thought leaders and success stories from leading organizations.
Zero trust mindset enables digital growth
Like many global pharmaceutical companies, Takeda Pharmaceuticals supports better patient outcomes by innovating and collaborating across a diverse group of internal and external stakeholders—including, in its case, more than 52,000 employees and thousands of research partners, logistics partners, and other third-party service providers as well as patients, physicians, and other health care providers.Zero trust mindset enables digital growth
Like many global pharmaceutical companies, Takeda Pharmaceuticals supports better patient outcomes by innovating and collaborating across a diverse group of internal and external stakeholders—including, in its case, more than 52,000 employees and thousands
of research partners, logistics partners, and other third-party service providers as well as patients, physicians, and other health care providers. The ongoing need to extend access to applications and systems
to its broad external ecosystem spurred the Tokyo-based pharmaceutical giant to begin a journey toward a zero trust-based security architecture.
“We
realized that the demarcation between internal and external was no longer relevant or scalable,” says chief information security officer (CISO) Mike Towers. “The zero trust mindset—assuming that every request
to connect is coming from an unknown access device on the internet that can’t be predicted or controlled—is a much better way to move forward.”5
Previously, access to an internal application would require granting access to the Takeda network, which inherently enabled access to a number of additional, unrelated services. “We could have tried to manually
manage and restrict this additional system access, but, invariably, things will be missed over time,” says Scott Sheahen, global head of information risk management. “With the zero trust approach, we eliminate
superfluous system access and thereby reduce the avenues that could be exploited in a future cyberattack. Now we have granular, policy-based controls so that people have access only to needed resources.”
This approach provides users with a more efficient way of navigating Takeda’s complex technology environment—a mix of cloud-based applications and services and legacy systems residing on internal servers
and in data centers—and eliminates the difficulty of accessing systems via multiple firewalls and VPNs. The transition to zero trust, well underway before COVID-19 struck, helped the company securely manage
the sudden shift of its global workforce to a work-from-home model. “Our China workforce, the first affected by the pandemic, had less experience and comfort with work-from-home, so it was really important
for us to get it right,” Towers says. “By having shifted to zero trust-based access, we were able to aggressively and quickly move China to the work-from-home model.”
Setting clear expectations with
business partners is critical during the transition, says Thomas Likas, global head of security architecture and engineering. He recommends that security and IT organizations planning a zero trust migration
engage with business partners from the beginning of the journey. “The business—not IT—has the best understanding of how people access and use their applications,” he says. “In the zero trust world, the business
will need to determine who should have access to their systems and data.”
Indeed, Likas continues, “this knowledge needs to be baked into the access model from the very beginning. To business partners,
this might seem like a lot of work, but as a bonus, the organization gets a solid understanding of their application landscape.”
Towers believes that once leaders understand the numerous benefits,
most companies will inevitably adopt the zero trust mindset. “Frankly,” he says, “I don't think that businesses can digitally or technologically scale in any other way.”
Zero trust secures the “new perimeter”
A zero trust approach is helping Halliburton, a global provider of products and services to the energy industry, meet its strategic business goals and objectives.Zero trust secures the “new perimeter”
A zero trust approach is helping Halliburton, a global provider of products and services to the energy industry, meet its strategic business goals and objectives. Several years ago, as part of a drive to be more operationally efficient, the company began
adopting cloud, mobile, and Industrial Internet of Things platforms to reduce costs and improve productivity. At the same time, Halliburton’s vendors and suppliers began pushing their products and services
to the cloud. “With the dispersion of our computing resources from the data center to the internet, we realized that our traditional network perimeters were dissolving,” says Mary Rose Martinez, CISO and
senior director for IT architecture.6 “This impelled us to develop a zero trust
strategy.”
Halliburton’s zero trust approach revolves around securing people, network connections, and data. “We are moving toward a reality where it doesn’t really matter if employees are on the network or
not,” Martinez says. “The new perimeter is identity, whether user identity, endpoint device identity, or service identity.”
When Halliburton began its zero trust journey about two years ago, it focused
first on securing mobile devices through multifactor authentication—using identity credentials, an authenticator, and registered devices. Soon after, the company migrated to cloud-based identity providers
to further secure its people. Over time, the number of applications accessible without using a VPN continues to grow. A longtime adopter of the principle of least privilege, data encryption, and other data
controls, the company is also working to enhance the classification and protection of unstructured data.
The more granular security controls that are part of Halliburton’s zero trust approach have
created a more disciplined security posture. Because it controls user devices and endpoints, the company can push policies to any device via the internet. And because VPN access isn’t required for the zero
trust-enabled applications, employees have a considerably improved user experience.
Martinez is quick to emphasize that zero trust is not only a technology initiative—it is also a people initiative.
For example, whether Halliburton employees are on the company network or the internet, in the office or at home, they receive a verification prompt before accessing applications protected by multifactor
authentication. This workflow change required education and awareness. And it is incumbent on users to guard their credentials and devices. “Raising security awareness has to be part and parcel of the zero
trust approach,” Martinez says. “An ongoing education program that includes increasingly sophisticated phishing simulations can help people become more aware.”
Halliburton’s adoption of zero trust
is an ongoing journey, with many components that are constantly moving and changing shape. “Because of the fluid nature of technological advancements, the end state will probably always be a moving target,”
Martinez says. “But we’ve laid a foundation that’s both solid and adaptable, and upon which we can continue to build over time.”
Learn more
Download the trend to explore more insights, including the “Executive perspectives” where we illuminate the strategy, finance, and risk implications of each trend, and find thought-provoking “Are you ready?” questions to navigate the future boldly. And check out these links for related content on this trend:
Next Trend:
Senior contributor
Wil Rockall
Endnotes