Zero trust security – an enterprise cybersecurity model in which no people or devices are trusted by default - has been discussed for many years. It’s more than a technological shift, but a cultural shift across the organisation as well. Recent high-profile cybersecurity events in which “trusted” sources have caused problems, such as the SolarWinds breach, have brought zero trust to the forefront and many enterprises are studying how they can move from discussing it, to actually implementing it.
Cybercrime Magazine recently conducted a podcast with two Deloitte Cyber leaders: Andrew Rafla, Zero Trust Leader for the U.S. Cyber Practice, and Richard Price, Zero Trust Leader for the North and South Europe Cyber Practice and Director in the U.K. Here’s what they had to say about making the journey to zero trust:
Q: Let’s start with the basics: what is zero trust?
Andrew Rafla: At the most basic level, zero trust is a conceptual framework for securing the ubiquitous nature of modern enterprise IT environments. There is no network perimeter anymore, where you could set up defences around the company to keep the bad guys out. Instead, modern business processes and digital transformation have created very complex IT ecosystems. So the perimeter-based model where you distrust anyone outside the perimeter and trust everyone inside the perimeter no longer applies – because there is no perimeter. The zero trust model takes a risk-based approach to enforce “least privileged access” over systems and applications. In other words, nobody is implicitly trusted and people are only given the access they need, and no more.
Richard Price: And, what this means at the business level is zero trust is more dynamic in response to modern cyber risk than the old perimeter methods are. This, in turn, enables cybersecurity organisations to be more responsive to the business.
Q: How is zero trust implemented?
Andrew Rafla: From a technical perspective, the zero trust model is built on five foundational capabilities: identities, workloads, data, networks and devices. In our zero trust framework, we also represent telemetry, analytics, orchestration and automation as horizontal technologies that cut across these foundational capabilities.
Richard Price: And beyond the technical architecture, we also have to look at the “softer” side of implementing zero trust, which includes the four domains of organisational change:
Culture and organisation: What changes will zero trust drive over time?
All of these capabilities impact people across the organisation. This is why when we think about zero trust, we need to marry the technical side with the softer side.
Q: What’s fuelling the interest in zero trust?
Richard Price: It’s the need for business agility, which is driving the digital transformation trend. Everything is connecting to everything, and we’re seeing a huge increase in connectivity and collaboration. The zero trust model can readily support this transformation to digital business while also reducing costs - especially when it comes to regulatory compliance and mergers and acquisitions, where there is typically an enormous amount of integration work after the deal is done. These are some of the key reasons why there is so much interest.
Andrew Rafla: We’ve seen some interesting use cases for zero trust. One is the desire of organisations to expand into high-risk geographies. They want ways to segment different parts of the business so they can hit a “kill switch” if there’s a security breach, to prevent threat actors from moving laterally into other parts of the network.
Another key use case has been driven by the pandemic: the remote workforce. Most organisations had to move to remote overnight, so how do you provide connectivity to all of your users in a secure way? When you implement zero trust, you move away from the legacy VPNs and other network-centric models, to a point-to-point security model. This enables companies to move to a remote workforce without introducing unacceptable security risk.
Q: Why is zero trust exciting for cybersecurity organisations?
Richard Price: For a long time, cyber has been the department of “no.” Zero trust finally enables cyber to move away from saying “you can’t do that,” to truly enabling the business with “we can do that and we can do it securely.” This makes cyber integral to how businesses work – which is an exciting proposition.
Q: How can companies get started with zero trust?
Andrew Rafla: The first thing is to avoid “paralysis by analysis.” A lot of organisations don’t really know what zero trust means and assume it’s going to be some gigantic rip-and-replace undertaking. This is not the case – and we advise clients to first look at their environments so they can understand what it is they need to protect, look at their cyber capabilities and see where the gaps are and then address those gaps. Also, there’s often an assumption that with zero trust, you should start by focussing on the “crown jewels” of the enterprise – your most sensitive and valuable assets. But we recommend that you start with low-risk applications and user bases and then you can apply the lessons learned as you move up to higher-risk assets and users. Any transformation can cause disruption and you don’t want to start your zero trust journey by potentially disrupting critical business processes.
Richard Price: Right – you can’t just go out and buy “zero trust” and deploy it. It’s a methodology with benefits that accrue across the organisation, so it’s important to get the support of the whole organisation for the transformation. To do this, you need a clear roadmap showing the business benefits, so you can get buy-in. You also need to think about the cyber organisation – we’ve all spent 35 years building perimeters and defending them. Now we’re telling people “it’s all going to change,” and that can be frightening. So it’s important to communicate to people on the cyber team how the transition to zero trust will change roles, training and so on.
Andrew Rafla: We keep coming back to this point but it’s really true: zero trust is not a technology project. It’s an organisational culture shift and needs to be managed that way. This means clearly communicating across the business why this shift needs to happen, how people will be impacted and what the experience will look like over the course of the transformation.