Loading...
trust, always verify
porous perimeter
trust, always verify
porous perimeter
- Data discovery and classification. Data governance, inventory, classification, and tagging are critical. To create the appropriate trust zones and access controls, organizations need to understand their data, the criticality of that data, where it resides, how it is classified and tagged, and the people and applications that should have access to it.
- Asset discovery and attack-surface management. Many organizations lack a real-time, updated inventory of all IT resources—including cloud resources, IP addresses, subdomains, application mapping, code repositories, social media accounts, and other external or internet-facing assets—and therefore can’t identify security issues across the complete attack surface. To facilitate risk-based policy decisions surrounding their assets, it’s critical for organizations to understand the enterprise IT environment.
- Configuration and patch management. Without the ability to efficiently manage and document baseline configurations of key technology systems, deploy appropriate patches, test patched systems, and document new configurations, companies cannot easily identify changes and control risks to these systems. Malicious actors can exploit any vulnerabilities to gain a foothold within an organization.
- Identity and access management. To ensure that access to technology resources is granted to the proper people, devices, and other assets, enterprises need to standardize and automate their identity life cycle management processes. They can extend their operations beyond traditional boundaries while protecting critical resources and maintaining an efficient user experience by moving the identity stack to the cloud, consuming identity-as-a-service, or implementing such advanced authentication methods as physical biometrics, behavioral monitoring, and conditional access.
- Third-party risk management. To fully understand their entire risk surface, organizations need greater visibility into cyber risks related to their supply chains and ecosystem partners, including suppliers to third-party vendors.
- Logging and monitoring. To identify potentially malicious incidents and issues, security teams need automated logging and monitoring systems with advanced AI and machine learning capabilities to help simplify the process of tracking, analyzing, and correlating data from volumes of detailed logs as well as alerts generated by internal and external systems, security controls, networks, and processes.
Lessons from the front lines
Read insights from thought leaders and success stories from leading organizations.
Zero trust mindset enables digital growth
Like many global pharmaceutical companies, Takeda Pharmaceuticals supports better patient outcomes by innovating and collaborating across a diverse group of internal and external stakeholders—including, in its case, more than 52,000 employees and thousands of research partners, logistics partners, and other third-party service providers as well as patients, physicians, and other health care providers.Zero trust mindset enables digital growth
Like many global pharmaceutical companies, Takeda Pharmaceuticals supports better patient outcomes by innovating and collaborating across a diverse group of internal and external stakeholders—including, in its case, more than 52,000 employees and thousands
of research partners, logistics partners, and other third-party service providers as well as patients, physicians, and other health care providers. The ongoing need to extend access to applications and systems
to its broad external ecosystem spurred the Tokyo-based pharmaceutical giant to begin a journey toward a zero trust-based security architecture.
“We
realized that the demarcation between internal and external was no longer relevant or scalable,” says chief information security officer (CISO) Mike Towers. “The zero trust mindset—assuming that every request
to connect is coming from an unknown access device on the internet that can’t be predicted or controlled—is a much better way to move forward.”5
Previously, access to an internal application would require granting access to the Takeda network, which inherently enabled access to a number of additional, unrelated services. “We could have tried to manually
manage and restrict this additional system access, but, invariably, things will be missed over time,” says Scott Sheahen, global head of information risk management. “With the zero trust approach, we eliminate
superfluous system access and thereby reduce the avenues that could be exploited in a future cyberattack. Now we have granular, policy-based controls so that people have access only to needed resources.”
This approach provides users with a more efficient way of navigating Takeda’s complex technology environment—a mix of cloud-based applications and services and legacy systems residing on internal servers
and in data centers—and eliminates the difficulty of accessing systems via multiple firewalls and VPNs. The transition to zero trust, well underway before COVID-19 struck, helped the company securely manage
the sudden shift of its global workforce to a work-from-home model. “Our China workforce, the first affected by the pandemic, had less experience and comfort with work-from-home, so it was really important
for us to get it right,” Towers says. “By having shifted to zero trust-based access, we were able to aggressively and quickly move China to the work-from-home model.”
Setting clear expectations with
business partners is critical during the transition, says Thomas Likas, global head of security architecture and engineering. He recommends that security and IT organizations planning a zero trust migration
engage with business partners from the beginning of the journey. “The business—not IT—has the best understanding of how people access and use their applications,” he says. “In the zero trust world, the business
will need to determine who should have access to their systems and data.”
Indeed, Likas continues, “this knowledge needs to be baked into the access model from the very beginning. To business partners,
this might seem like a lot of work, but as a bonus, the organization gets a solid understanding of their application landscape.”
Towers believes that once leaders understand the numerous benefits,
most companies will inevitably adopt the zero trust mindset. “Frankly,” he says, “I don't think that businesses can digitally or technologically scale in any other way.”
Zero trust secures the “new perimeter”
A zero trust approach is helping Halliburton, a global provider of products and services to the energy industry, meet its strategic business goals and objectives.Zero trust secures the “new perimeter”
A zero trust approach is helping Halliburton, a global provider of products and services to the energy industry, meet its strategic business goals and objectives. Several years ago, as part of a drive to be more operationally efficient, the company began
adopting cloud, mobile, and Industrial Internet of Things platforms to reduce costs and improve productivity. At the same time, Halliburton’s vendors and suppliers began pushing their products and services
to the cloud. “With the dispersion of our computing resources from the data center to the internet, we realized that our traditional network perimeters were dissolving,” says Mary Rose Martinez, CISO and
senior director for IT architecture.6 “This impelled us to develop a zero trust
strategy.”
Halliburton’s zero trust approach revolves around securing people, network connections, and data. “We are moving toward a reality where it doesn’t really matter if employees are on the network or
not,” Martinez says. “The new perimeter is identity, whether user identity, endpoint device identity, or service identity.”
When Halliburton began its zero trust journey about two years ago, it focused
first on securing mobile devices through multifactor authentication—using identity credentials, an authenticator, and registered devices. Soon after, the company migrated to cloud-based identity providers
to further secure its people. Over time, the number of applications accessible without using a VPN continues to grow. A longtime adopter of the principle of least privilege, data encryption, and other data
controls, the company is also working to enhance the classification and protection of unstructured data.
The more granular security controls that are part of Halliburton’s zero trust approach have
created a more disciplined security posture. Because it controls user devices and endpoints, the company can push policies to any device via the internet. And because VPN access isn’t required for the zero
trust-enabled applications, employees have a considerably improved user experience.
Martinez is quick to emphasize that zero trust is not only a technology initiative—it is also a people initiative.
For example, whether Halliburton employees are on the company network or the internet, in the office or at home, they receive a verification prompt before accessing applications protected by multifactor
authentication. This workflow change required education and awareness. And it is incumbent on users to guard their credentials and devices. “Raising security awareness has to be part and parcel of the zero
trust approach,” Martinez says. “An ongoing education program that includes increasingly sophisticated phishing simulations can help people become more aware.”
Halliburton’s adoption of zero trust
is an ongoing journey, with many components that are constantly moving and changing shape. “Because of the fluid nature of technological advancements, the end state will probably always be a moving target,”
Martinez says. “But we’ve laid a foundation that’s both solid and adaptable, and upon which we can continue to build over time.”
Lessons from the front lines
Read insights from thought leaders and success stories from leading organizations.
Zero trust mindset enables digital growth
Like many global pharmaceutical companies, Takeda Pharmaceuticals supports better patient outcomes by innovating and collaborating across a diverse group of internal and external stakeholders—including, in its case, more than 52,000 employees and thousands of research partners, logistics partners, and other third-party service providers as well as patients, physicians, and other health care providers.Zero trust mindset enables digital growth
Like many global pharmaceutical companies, Takeda Pharmaceuticals supports better patient outcomes by innovating and collaborating across a diverse group of internal and external stakeholders—including, in its case, more than 52,000 employees and thousands
of research partners, logistics partners, and other third-party service providers as well as patients, physicians, and other health care providers. The ongoing need to extend access to applications and systems
to its broad external ecosystem spurred the Tokyo-based pharmaceutical giant to begin a journey toward a zero trust-based security architecture.
“We
realized that the demarcation between internal and external was no longer relevant or scalable,” says chief information security officer (CISO) Mike Towers. “The zero trust mindset—assuming that every request
to connect is coming from an unknown access device on the internet that can’t be predicted or controlled—is a much better way to move forward.”5
Previously, access to an internal application would require granting access to the Takeda network, which inherently enabled access to a number of additional, unrelated services. “We could have tried to manually
manage and restrict this additional system access, but, invariably, things will be missed over time,” says Scott Sheahen, global head of information risk management. “With the zero trust approach, we eliminate
superfluous system access and thereby reduce the avenues that could be exploited in a future cyberattack. Now we have granular, policy-based controls so that people have access only to needed resources.”
This approach provides users with a more efficient way of navigating Takeda’s complex technology environment—a mix of cloud-based applications and services and legacy systems residing on internal servers
and in data centers—and eliminates the difficulty of accessing systems via multiple firewalls and VPNs. The transition to zero trust, well underway before COVID-19 struck, helped the company securely manage
the sudden shift of its global workforce to a work-from-home model. “Our China workforce, the first affected by the pandemic, had less experience and comfort with work-from-home, so it was really important
for us to get it right,” Towers says. “By having shifted to zero trust-based access, we were able to aggressively and quickly move China to the work-from-home model.”
Setting clear expectations with
business partners is critical during the transition, says Thomas Likas, global head of security architecture and engineering. He recommends that security and IT organizations planning a zero trust migration
engage with business partners from the beginning of the journey. “The business—not IT—has the best understanding of how people access and use their applications,” he says. “In the zero trust world, the business
will need to determine who should have access to their systems and data.”
Indeed, Likas continues, “this knowledge needs to be baked into the access model from the very beginning. To business partners,
this might seem like a lot of work, but as a bonus, the organization gets a solid understanding of their application landscape.”
Towers believes that once leaders understand the numerous benefits,
most companies will inevitably adopt the zero trust mindset. “Frankly,” he says, “I don't think that businesses can digitally or technologically scale in any other way.”
Zero trust secures the “new perimeter”
A zero trust approach is helping Halliburton, a global provider of products and services to the energy industry, meet its strategic business goals and objectives.Zero trust secures the “new perimeter”
A zero trust approach is helping Halliburton, a global provider of products and services to the energy industry, meet its strategic business goals and objectives. Several years ago, as part of a drive to be more operationally efficient, the company began
adopting cloud, mobile, and Industrial Internet of Things platforms to reduce costs and improve productivity. At the same time, Halliburton’s vendors and suppliers began pushing their products and services
to the cloud. “With the dispersion of our computing resources from the data center to the internet, we realized that our traditional network perimeters were dissolving,” says Mary Rose Martinez, CISO and
senior director for IT architecture.6 “This impelled us to develop a zero trust
strategy.”
Halliburton’s zero trust approach revolves around securing people, network connections, and data. “We are moving toward a reality where it doesn’t really matter if employees are on the network or
not,” Martinez says. “The new perimeter is identity, whether user identity, endpoint device identity, or service identity.”
When Halliburton began its zero trust journey about two years ago, it focused
first on securing mobile devices through multifactor authentication—using identity credentials, an authenticator, and registered devices. Soon after, the company migrated to cloud-based identity providers
to further secure its people. Over time, the number of applications accessible without using a VPN continues to grow. A longtime adopter of the principle of least privilege, data encryption, and other data
controls, the company is also working to enhance the classification and protection of unstructured data.
The more granular security controls that are part of Halliburton’s zero trust approach have
created a more disciplined security posture. Because it controls user devices and endpoints, the company can push policies to any device via the internet. And because VPN access isn’t required for the zero
trust-enabled applications, employees have a considerably improved user experience.
Martinez is quick to emphasize that zero trust is not only a technology initiative—it is also a people initiative.
For example, whether Halliburton employees are on the company network or the internet, in the office or at home, they receive a verification prompt before accessing applications protected by multifactor
authentication. This workflow change required education and awareness. And it is incumbent on users to guard their credentials and devices. “Raising security awareness has to be part and parcel of the zero
trust approach,” Martinez says. “An ongoing education program that includes increasingly sophisticated phishing simulations can help people become more aware.”
Halliburton’s adoption of zero trust
is an ongoing journey, with many components that are constantly moving and changing shape. “Because of the fluid nature of technological advancements, the end state will probably always be a moving target,”
Martinez says. “But we’ve laid a foundation that’s both solid and adaptable, and upon which we can continue to build over time.”
Learn more
Download the trend to explore more insights, including the “Executive perspectives” where we illuminate the strategy, finance, and risk implications of each trend, and find thought-provoking “Are you ready?” questions to navigate the future boldly. And check out these links for related content on this trend:
- Cyber risk collection: Explore the latest insights on managing cyber risk and bolstering security against attacks.
- States at risk: The cybersecurity imperative in uncertain times: Read a joint cybersecurity report with the National Association of State Chief Information Officers.
- Resilient podcast series: Tune into an award-winning podcast series that features leaders tackling risk, crisis, and disruption.
Next Trend:
Senior contributor
Wil Rockall
Endnotes