Why adopting a Zero Trust approach is not as straightforward as it might appear
The world has changed. With the move to hybrid working, the rapid adoption of cloud, increased use of mobile and IoT devices, and more, the attack surface of every organization has expanded and businesses are finding it harder than ever to protect their networks and digital assets.
This will, no doubt, be the central theme for this year’s Cybersec Europe, taking place on May 29th and 30th in Brussels. The event aims to arm visitors with the know-how and solutions to make their businesses cyber resilient and secure their digital assets.
But it is not just about securing assets. Traditional boundaries have blurred between businesses, suppliers, customers, workers, and home-life. Organizations must have all the appropriate governance and systems in place so they can view cybersecurity from a holistic and integrated perspective. This is where a Zero Trust strategy with identity at its core is essential.
Zero Trust has emerged as a set of guiding principles and the framework of choice helping organizations establish a set of controls. Organizations that adopt Zero Trust principles assume every connection, device, and user is a potential cybersecurity threat. By eliminating implicit trust, the Zero Trust model advocates for a security policy in which nobody is inherently deemed safe, regardless of role or responsibility.
Zero Trust security offers a new way of securing access and IT leaders are embracing it. In a recent study, organizations with a mature Zero Trust implementation scored 30% higher in security resiliency than organizations without a Zero Trust strategy.
While this all sounds great on paper, in practice taking such an approach is inherently hard for organizations to achieve. Many don’t fully understand all the different aspects of their security infrastructure to be able to implement a holistic Zero Trust approach. I say this because most approach security from a siloed perspective, as do most vendors. Not one vendor has every aspect of Zero Trust covered, with vendors delivering various solutions from identity to access control to micro-segmentation to endpoint verification to network access to real-time monitoring.
Likewise, within the organization different teams will be delegated different security tasks. For example, network management and identity management often sit in separate teams. This may require a significant shift in organizational culture, set-up and security strategies, which can be complex and necessitate buy-in from several different levels. Substantial changes to existing network infrastructure may be required, which can be costly and time-consuming. Achieving comprehensive visibility and control over all network connections can be technically challenging, especially in complex environments.
Xalient looks at identity and access management from every angle. How accounts, whether a person, system or process gets in through the network, via devices, their behavior, governance, and so much more. This is because Xalient has years of proven experience in identity, cybersecurity and networking, with the acquisition of Grabowsky and Integral Partners having further deepened its IAM expertise. This cross-domain capability makes it possible to look beyond siloed teams. For example, Xalient’s AIOps solution MARTINA has the capability to predict anomalies in behaviors around privileged access accounts.
To provide a couple of examples, one customer we are working with is moving from a physical business to a global digital platform. To achieve this digital transformation, every aspect of the project has a different solution, and a different vendor. The challenge for them today is understanding how they are going to bring it all together and how they ultimately extract value. We are helping them visualize where they want to be and what they need to do to successfully deliver this critical transformation. We can comprehensively do this because we straddle the three pillars of networking, security and identity and we are well positioned, particularly with our managed service capability, to help them navigate their way.
We have another client where privileged access management is important. They are involved in secrets management which means making sure their DevOps environment, where secrets are used in their software development, is used appropriately. We helped them successfully deploy this project and now we are preparing for a Zero Trust workshop. Together we are plotting the steps towards the future making sure their cybersecurity team takes all the different aspects into consideration. We can do this as we have hands-on experience in so many different aspects of identity security and networking.
Our top considerations when adopting a Zero Trust approach with identity at its core include:
1. Make sure you encompass all identities into your road map. This includes third party access, vendor management, partners, employees, contractors – all identities must be handled appropriately.
2. Understand your organization’s critical digital assets, categorize them based on sensitivity, and correlate access needs with job positions. This step aids in prioritizing security efforts and detecting vulnerabilities through a security risk assessment.
3. Restrict user access using the principle of least privilege. Implement access control policies, leverage identity management, and conduct regular access reviews to align permissions with job responsibilities.
4. Understand your risk posture and spend your euros wisely. This means having a complete understanding around access and a comprehensive road map. The challenge today is that most CISOs are so busy with different aspects of legislation, compliance and risk management that they don’t have time to focus on the bigger picture. It is critical that they make time.
5. There is a shortage of qualified, specialist personnel. Therefore, be clear on what topics and intelligence you want to retain within the organization and what you could outsource. For example, Privilege Access Management is complex and your organization probably doesn’t need this level of specialist expertise, so outsource to the experts.
6. Remember the importance of communication within the business security teams which is vital to building internal support. To achieve this, security teams must inform and guide users through the phases of the Zero Trust implementation while continuing to emphasize the benefits to them.
With this vision and understanding, the steps to success become more achievable. Here at Xalient we can deliver not only a managed service but a single point of contact for different aspects of your Zero Trust journey so you have one contact managing different aspects and vendors.
If you are interested in learning more about Xalient’s approach to Zero Trust why not listen to our talk: “Why Zero Trust starts with identity” at Cybersec, which is being held on Wednesday, 29th and Thursday, 30th May at 14.45 pm in Theatre 7. Or you can find us on stand 05.A042.