Don’t trust anything that you can’t verify is becoming more important. The role of cyber security has been under scrutiny added pressure as a result of the changes in the world of work.
The BTN partnered with Illumio, the pioneer and market leader of Zero Trust segmentation, for a conversation around the role of Zero Trust and creating an effective security defence within organisations.
The conversation was led by Nathanael Iversen (Chief Evangelist at Illumio) and Trevor Dearing (EMEA Director of Technology & Product Marketing at Illumio), with some of the leading technology and security experts across the business.
The conversation brought about the following talking points:
Not just a tech approach but a paradigm shift
At the crux of organisations’ cyber security journeys is how we can secure our most valuable business applications, without slowing the network down.
Zero Trust can be a solution to a variety of organisational issues, but it is not only a technology approach but a paradigm shift. We need to make the business secure and find a simple way of doing that.
Zero Trust is a desired outcome, but today’s paradigm is not limited to perimeter security anymore. In some cases, organisations aren’t willing to pay the price for it and remote users then have a different user experience. Application security and user security are being handled differently.
The segmentation tools that were used previously might not be fit for purpose in the new dynamic network. We need to understand what our greatest perceived risk is. Should we segment starting from the user or starting from the data centre?
At home, you can have your own device which is trusted on the home network, but should you be able to trust your company device in an unknown environment.
We must create solutions within our organisations that work for us, secure our organisations and don’t slow down the network.
The language of risk needs to change
One of the biggest threats is actually inside the organisation. So how can we educate our executives on the evolving challenges and potentially revolutionary changes that we need to make?
The conversation moved onto what the role of security and risk means within the boardroom. If you ask your CEO to explain what Zero Trust is, the answer will be ‘sounds familiar, but not sure of the details’. Boards don’t understand risk in its entirety, so it always needs to be broken down and simplified.
Is calling it Zero Trust going against the grain? Should we call it something different as we do actually trust our people but not necessarily the environment? If you have an idea of implementing Zero Trust, use the phrase of digital transformation to create interest and truly embed it.
Zero Trust is more of a multi-disciplinary transformation than simply a plug and play, one and done approach, so we should be working with our employees to understand what they need. Map out what is required first. Potentially speak to HR first who define the roles and then evaluate from there as it is never one size fits all.
We must try to show value right from the start and create an effective security recipe. How do you start? Through helping people on the basis of risk, where Zero Trust can make the biggest impact.
Zero Trust helps the Cloud but the Cloud helps Zero Trust
What can be done to scale segmentation through your organisation without breaking the bank or the network?
The cloud is the perfect field to play with Zero Trust, howeverZero Trust is simply just a facet of the bigger picture.
Everything in the cloud has metatags or metadata. So, if you can use/leverage this as the basis for the segmentation, then the segmentation can be accelerated if it is API driven. Once people can identify the devices and flows, then it's easy to define the policy.
There was discussion around there being two different approaches to moving to the cloud, which depend on the maturity/expertise of the company: one is the lift & shift, another one is re-architecting.
Zero Trust means different things for different organisations. The transition from trusting everything within your walls to having to pivot and trust nothing will be a journey.
Zero Trust should really be nothing new, the technology is already here but it’s about the real time-based decision. Changing as a response to other changes. The people layer of Zero Trust will always be the trickiest but if we communicate the right messages at the right time then people will understand the reasons. Don’t trust anything that you can’t verify.