Creating a more effective security ecosystem is no longer a ‘nice to have’. The conversations around securing your data and your networks have been dramatically heightened due to the move to a more remote workforce and an increase in the number of devices being utilised to access organisational tools.
The BTN, in partnership with Illumio, brought together some of the brightest experts across technology to discuss the evolving role of Zero Trust. A culture of trust may be one that organisations aspire for internally but the Zero Trust principles must be set as default to not trust user and devices, from both inside or outside the network.
The conversation brought about the following key takeaways:
Device Trust before Identity Trust
The group began their discussion by looking at what exactly the role of trust meant to them in their organisations with regards to security and what exactly the drivers would be for moving to a Zero Trust architecture.
The evolution of the Internet of Things (IoT) was seen as a big driver, whereby an array of technologies that have no embedded security need to operate in silos and we should not trust any of them to upset the others.
Zero Trust has been around a while but has risen to the fore more recently as networks have come flatter and more open – thus increasing the risk of lateral movement. The core tennet to ‘verify always’ is now more relevant than ever to ensure breaches don’t spread and that staff only have access to the necessary applications.
Security Transformation must map your Cloud Transformation
If/when moving to a cloud environment, there will inevitably be challenges around taking the security you had in your own environment to the cloud. The group agreed that the first question that needed to be asked was whether cloud providers fulfil the security issues?
Security can sometimes not just be the afterthought but actually, be the enabler to do something – security teams have for too long been perceived as the department of ‘no’. Find your operational concern and what you are trying to achieve and embed security throughout.
For example, when moving your collaboration tools to the cloud (Microsoft365, Salesforce etc), a common occurrence is the loss of control on design during the transition. If continuous security elements are built-in that move with the products as it evolves, it creates a product-centric approach that combines security with agile.
The role of DevOps teams can help to bring the roles of development and security together, if the aim is for security to be embedded throughout the journey. The cloud gets everyone aligned with the same end journey but we must ensure it is a mindset shift.
Rebuild for your cloud environment, rather than trying to replicating your on-premise solution.
Security is not always about ‘being hacked’
Safeguarding reputation and ensuring operations continue without disruption can be similarly big drivers for organisations, when it comes to security investments. The discussion touched on the role of auditors within certain industries and how regulatory change must always be considered if environmental changes are implemented. The group agreed that Zero Trust was far ahead of the checklist that an audit may consider for compliance.
A CISO will always want as much time as possible between finding out about a breach and it spreading within the network, therefore a contingency should always be in place. Does fear of a breach get the board more ‘excited’ than talking about a culture shift to Zero Trust? Security can sometimes be seen as wanting to do ‘X’ but being fully aware that there is a security aspect that needs to be considered.
Scope your transformation goals with the knowledge of what the implications of failure to adapt would be.
Creating an environment where all systems and people are continuously verified and tested, meaning nothing is allowed into the environment that hasn’t been verified. The role of security within an organisation is to make your ‘product’ as secure as possible, Zero Trust is undoubtedly an element of that.
To learn more about Zero Trust Segmentation please visit https://www.illumio.com/solutions/zero-trust
Illumio enables organizations to realize a future without high-profile breaches by providing visibility, segmentation, and control of all network communications across any data center or cloud. Founded in 2013, the world’s largest enterprises, including Morgan Stanley, BNP Paribas, Salesforce, and Oracle NetSuite, trust Illumio to reduce cyber risk.
