Zero Trust: a mindset change needed to secure the next digital decade

data securitylock picture id1204583789
iStock

The rapid acceleration of digital transformation and remote working over the past 18 months, together with an increased reliance on cloud platforms have made traditional boundaries of corporate networks disappear.

rana gupta thales Thales Group

Rana Gupta, APAC Regional VP, Authentication & Encryption, Thales

Businesses no longer have sole control over a closed network; instead digital identities have become the new perimeter.

This new reality presents amazing opportunities, but also greater security challenges.

As shown by Thales’ most recent Access Management Index report, a staggering 82% of Australian organisations are concerned about the security risks of employees working remotely. Almost a quarter (23%) are not confident that their current access security solutions can effectively enable employees to work remotely in a secure and easy manner.

Legacy security policies and practices based on trust and traditional access technologies like VPN have been rendered inadequate.  Adopting a Zero Trust approach to security operations is the way forward.

Question everything, trust nothing

Too many networks and applications currently run on ‘assumed trust’ systems.

A Zero Trust model views trust as a vulnerability – any user or device looking to access confidential data cannot and should not be trusted by default. Instead, the idea is to follow a ‘trust no one, verify everyone’ mindset.

This is not a specific technology but rather a strategic, initiative-based security system that requires strict and continuous identity verification and control of access to data, systems and applications whether they are in the cloud or on-premise.  Access is granted on a need basis.

This Zero Trust approach helps maintain a high level of security without the need for a physical location to authenticate access.

Barriers to Zero Trust

Many Australian organisations understand the need to shift to a Zero Trust model. Encouragingly, half (53%) of the organisations surveyed now use Zero Trust network access and software defined perimeter capabilities, while 48% plan to deploy these technologies due to the impact of remote work.

But accomplishing the principle surrounding Zero Trust is not without its challenges.

One significant barrier is finding solutions that cover identities and data end-to-end. This comes down to enforcing access decisions dynamically at the application access point, irrespective of where the user resides and the device they are using.

Another challenge is finding the balance between locking down access without interrupting workflow. Users require access to sensitive data to work and collaborate, while businesses leaders need to ensure that a drop in productivity doesn’t become an unwanted side effect.

The final - and probably biggest – element is understanding that achieving Zero Trust is not a set-and-forget process. While some foundational technology capabilities are vital, organisations tend to equate Zero Trust with implementing a single capability when in reality it is an ongoing journey.

Zero Trust: a marathon not a sprint

Migration to a complete Zero Trust security model should be progressive.

The journey starts by identifying where the company stands on the maturity lifecycle within the security space:

  • 0= the problem isn’t even recognised
  • 1= the problem is recognised but nothing is done yet
  • 2= some actions have started to take place but are limited to specific projects
  • 3= there is an organisation wide adoption of Zero Trust security through Multi-Factor Authentication (MFA) and access management

Then organisations need to identify the most sensitive data and critical touchpoints, evaluating what and who needs to be subjected to stricter access controls.

Starting the process by migrating the most critical assets will minimise risks while the company is taking the necessary time to learn and apply the right security configurations.

This is an extremely important step that requires IT and business leaders to join forces to identify which apps are more critical than others.

Digital IDs can then be introduced: each app and user can be attributed an ID and access management level adequate to status and criticality.

But again, this cannot be a set-and-forget process and Zero Trust efforts need to be consistent. The process needs to be constantly evolving to meet IAM needs, user trends and shifting requirements, rather than looking solely at least privilege access.

A platform approach will facilitate the move to this ongoing and evolving Zero Trust process.

Finally, Zero Trust can only be achieved through shared understanding and a collaborative approach at every level of business. It must be established as a company mindset and not simply a framework.

There is no “silver bullet” to achieving Zero Trust. Organisations need to map out their journey as achievable milestones, then evaluate which capabilities can help achieve those milestones. Immediate and effective results will boost the confidence of all stakeholders involved in this multi-step journey and ensure the organisations’ expanding perimeter.

For more information on how Thales can help your organisation with its Zero Trust strategy, please visit this website or contact Thales by email.

Copyright © 2021 IDG Communications, Inc.