As IT environments have evolved, so too have the security requirements. The traditional, perimeter-based approach to security is no longer
As IT environments have evolved, so too have the security requirements. The traditional, perimeter-based approach to security is no longer adequate at a time where organisations are leveraging multi-cloud environments, pushing computing to the edge, and embracing remote work.
Zero trust security emerged as a solution to the evolving use of IT. Zero trust security assumes that nothing, whether it is inside or outside of the network, can be trusted, and that ongoing verification is needed for authentication.
It is one of those rare technologies where there is universal consensus on its value. The vast majority of executives – 83 per cent – agree that, to safely protect modern work environments, zero trust is strategically necessary.
Unfortunately, companies across APAC are struggling with the implementation of zero trust. When poorly implemented, zero trust security can result in inefficiencies across the workplace. In a worst-case scenario, the risk of shadow IT, as users look for alternatives outside of the networked environment, exposing that data and work process to a high level of risk.
Looking at zero trust strategically
To implement zero trust IT in a way that maintains the user experience, the CISO and CIO need to approach implementation with three specific strategies in mind.
- Firstly, they need to understand the impact that zero trust security will have on legacy systems. With many applications it won’t be possible to simply drop zero trust solutions over the top, and so, before adopting zero trust, there should be a full audit of the environment, to mitigate against surprise incompatibilities.
- Secondly, the IT team needs to understand how users are interacting with the applications and IT environments, to ensure that, once the user has demonstrated the legitimacy of their login and interactions, the security subsequently gets out of the way. Zero trust security is only going to be embraced by the organisation if it doesn’t inhibit productivity.
- Finally, the CISO and CIO need to understand that zero trust security is iterative – the IT security team should take an agile approach to rollouts, where they are constantly monitoring the network and traffic to build insights into how to improve the security over time.
These considerations can be addressed through a five-step process:
- Define the protected surface – As above, audit the environment to understand the critical data, applications, assets and services, so the full scope of what needs to be protected can be defined.
- Map the transaction flows – Understanding how the specific resources in your environment interact will allow you to build tight controls into the security system and optimise the performance of it.
- Determine the right technology mix that will cover the full surface area – In most cases, zero trust security involves a combination of technologies and systems.
- Build the policies, keeping the users in mind – This is the stage where you determine the balance between security and the user experience.
- Monitor and maintain networks – As mentioned, it’s important to understand that zero trust is not set-and-forget, but rather iterative and agile. It’s also likely that you’ll need to undertake a change management program, so that the rest of the employees (and, potentially, customers and clients) understand this new approach to security. However, given that zero trust security ultimately allows for more flexible ways of working – for example, it will allow employees to work from home indefinitely – it is one of those times that the IT team will be seen as delivering meaningful value and opportunity to the business.
For more information on how Protectera can help you develop and execute on a zero trust security strategy, contact us today.