From the wide adoption of cloud-based computing to the proliferation of connected devices and IOT emerging technologies, business networks are increasingly user-centric rather than site-centric. The growing shift towards hybrid work is accelerating the trend. Organizations need to be prepared for persistent uncertain movement of employees, devices, transactions, and access to business data. There might be periods of employees regularly transitioning between working in an office or from home. Customers are likely to transact with organizations in a digital environment with greater frequency, changing the buying process for entire industries. Does this feel familiar?
As businesses adapt, security leaders are shifting attention towards protecting employees, devices, and systems from potential cybersecurity threats in an environment that is increasingly connected and dispersed. As security moves to the endpoint, traditional perimeter and detection-based approaches are giving way to Zero Trust principles.
“At its core, Zero Trust security eliminates the implicit trust that traditional security controls put in devices or network traffic that is sourced from inside perimeter firewalls,” says Deborah Golden, Deloitte & Touche LLP’s US Cyber & Strategic Risk leader. “Instead, Zero Trust assumes that every request to connect originates from an unknown device, and it enforces least-privilege access to protect assets across the enterprise. It also limits user access to the systems they need, rather than granting them the keys to the kingdom.”
Never trust, always verify
Zero Trust judges each user, each device to indicate how much access should be made available. Zero Trust has emerged as a leading security model to address modern, hyper-connected infrastructures. And while the concept of least-privilege access isn’t new, it has traditionally been enforced at the application layer. Zero Trust pushes access decisions further down the control stack, embedding it into the fabric of the ecosystem that supports identities, workloads, data, networks, and devices.
A user accessing a system from an unusual location, for example, might get access to an application only after going through an extra, step-up authentication process. The system might grant them more modular (and broader) access when they're back on the (anticipated) local network or connecting under expected conditions related to the source browser and device, connection location, and/or time of day.
“Now, companies across industries are tasked with supporting hybrid workplace environment practices,” explains Alexander Bolante, a managing director with Deloitte & Touche LLP who leads the customer identity and access management (CIAM) offering within Deloitte Risk & Financial Advisory. "That means employees, partners, vendors, and customers have to change the way they work or interact, which involves not only boosting security, but also enhancing the user experience. Identity and access management is critical for Zero Trust because businesses need to authenticate all user identities – whether it’s their systems, machines, or digital processes like signing contracts or wiring money – and ensure trusted and secure interactions among them. Organizations should strive for digital identity management systems that embody a set of common qualities for both enterprise and consumer users.”
Where to begin the Zero Trust journey
Adopting Zero Trust does not mean a CISO has to replace existing infrastructure and substitute it with a completely different set of technologies.
Andrew Rafla, the Zero Trust offering leader in Deloitte Risk & Financial Advisory and a partner with Deloitte & Touche LLP, suggests CISOs can prioritize and adopt Zero Trust through an iterative and incremental approach that aligns to business drivers and reduces the potential for operational disruption, while at the same time leveraging and/or supplementing existing capabilities.
“An investment in Zero Trust now is an investment in the future,” Rafla says. “Many organizations are at the beginning of digital transformation projects that can radically alter the services they offer to customers, requiring more distributed and open technology infrastructures. Designing those infrastructures with Zero Trust principles in mind can help to protect those new services and the people who use them.”
Businesses can begin by baselining their environment, determining the assets and identities that they need to protect and what current capabilities exist. Conducting a gap analysis can inform the incremental and iterative steps that can be taken to address control deficiencies between current and desired target state. It's useful to learn from the implementation of additional controls by starting with low-risk assets and/or managed endpoints.
Organizations can also build the foundation for a Zero Trust strategy by focusing on its main currency: identity, through the use of a centralized and federated identity-based approach to access control management. Zero Trust considers the full context of a given session to determine its overall risk and aligning that risk to the types of users (or identities) across each component of the authentication and sign-in process allows organization to define (and control) the conditions for access management and policy governance, thereby greater securing the environment at large.
Balancing the benefits of Zero Trust security
The appeal of Zero Trust is taking root for different reasons. Where once well-constructed firewalls could wall off intruders, organizations need modern armaments to fend off attackers from many endpoints, including employee devices and IoT-enabled tools—a distinguishing benefit of the Zero Trust model. CISOs also need to secure and manage hybrid and multi-cloud environments alongside legacy infrastructure—an effort that can become mired in complexity and operational overhead as well as talent and skills shortages. With so many businesses planning to offer a hybrid work model, a Zero Trust approach enables companies to offer flexibility while boosting security.
“We’ve seen some interesting use cases for Zero Trust,” says Rafla. “One example is organizations exploring expansions into high-risk geographies. They want ways to segment different parts of the business so they can hit a ‘kill switch’ if there’s a security breach to prevent threat actors from moving laterally into other parts of the network.”
Zero Trust is not a technology project. It’s an organizational culture shift. Organizations should assess and address the potential impact to end users, operational teams and processes, business stakeholders, and relevant third parties in order to be successful in their journey toward Zero Trust. This protection can build a strong sense of trust as organizations invite customers and partners alike to participate in those new services, adds Golden. She says, “Eliminating implicit trust from the enterprise may very likely be the key to building the most trustworthy digital transformation of all.”
This article was produced by WIRED Brand Lab on behalf of Deloitte.
