Whilst the concepts of Zero Trust were articulated more than a decade ago, with rapid shift to remote working, digital transformation and demand for Cloud services, Zero Trust is finally gaining the attention it deserves.
“Every organisation’s path to Zero Trust can look different and it’s important to be patient and prioritise your goals and objectives, and subsequent projects one step at a time.”Andrew Hollister, Deputy CISO and VP, LogRhythm Labs
What is the relevance of Zero Trust in today’s world?
The way that businesses operate has permanently changed since the pandemic. While this changing landscape has revealed new growth opportunities, it has also created a larger attack surface and introduced additional security risks. Threat actors now have new means of compromising organisations and this is increasing the threat landscape.
Whilst the concepts of Zero Trust were initially articulated more than a decade ago, with the rapid shift to remote working, combined with digital transformation and the increase in demand for Cloud services, Zero Trust is finally gaining the attention it deserves.
To operate securely and effectively, Chief Information Security Officers (CISOs) need to adapt the security strategy to effectively deal with the ever-changing threat landscape we find ourselves in. A Zero Trust architecture departs from the traditional concepts of securing a perimeter and instead focusses on identity and verification whether of the user, the device or the workload.
What are the primary elements of a Zero Trust security architecture?
Zero Trust requires a different way of thinking about security architecture. It should indeed be regarded as an architecture – an approach to security, rather than something that is another point-solution. Rather, Zero Trust is built on an identity-centric model that ultimately transforms an organisation’s current and legacy cybersecurity and IT models.
The principles of Zero Trust are built on the assumption that the corporate network (or any network, in fact) is hostile at all times. Similarly, no entity—be that user or device—is inherently trusted or granted access based on a single attribute. For example, geographic location is no longer a single source of trust; instead, it is treated as one of several attributes to gauge trust across users, devices, networks and access to sensitive resources. Furthermore, Zero Trust adopts an “assume breach” mentality demanding continual inspection and monitoring, as well as requiring the principles of “least privilege”.
What are the challenges of Zero Trust in a traditional IT environment?
Implementing a Zero Trust model has become a leading security strategy for organisations across the globe. However, organisations with a traditional IT environment must undergo a fundamental shift in mindset and major transitions in the deployment, use and management of security technologies.
The successful deployment of Zero Trust architecture requires security teams to unwind legacy infrastructure, workflows and processes, which often creates new challenges. Depending on the size and complexity of the organisation, the challenges that security operation centre (SOC) teams may face include budgeting and funding, time investment and resource constraints.
Organisations may be used to thinking about a hard perimeter and as such operating with that model for many years. Zero Trust requires an understanding of where your most valuable or sensitive data resides, how and why it is accessed and from where. This can be challenging to ascertain in a large organisation that has been in operation for many years.
What are the advantages and disadvantages of implementing Zero Trust?
Implementing a Zero Trust model is not just beneficial for security, it also creates process efficiencies that benefit IT and makes the jobs of SOC teams easier in the long run. Adopting a Zero Trust model can provide a variety of business benefits, including better handling of bring your own device (BYOD) issues, reducing dependencies, maintenance costs and licensing of software, as well as reducing the potential for a breach.
During our journey to Zero Trust we discovered that 70% of our helpdesk tickets were dealing with leavers, joiners and changes. By implementing a single source of truth and automating onboarding and offboarding of users we were able to virtually eliminate those tickets freeing up valuable time to focus on other priorities.
Nonetheless, organisations need to understand that deploying a Zero Trust architecture is a complex journey and a continual process. Every organisation’s path to Zero Trust can look different and it’s important to be patient and prioritise your goals and objectives, and subsequent projects one step at a time. From small to large companies, expect the process to be a marathon, not a sprint. It will take careful planning and execution but we believe the advantages significantly outweigh any disadvantages.
Have you implemented Zero Trust in the organisation? If so, please share about the experience.
At LogRhythm, we began our journey to Zero Trust at the beginning of 2018. At the time, we were preparing for the upcoming General Data Protection Regulation (GDPR) mandates. This provided us with the opportunity to kill two birds with one stone in identifying so-called “toxic data” for both our compliance requirement and our Zero Trust programme at the same time.
We began by addressing Identity and Access Management (IAM) and Single Sign On (SSO). We designated our Human Resources (HR) system as the single source of truth for joiners and leavers thus providing a solid foundation for the further rollout of Zero Trust. We also implemented Multi Factor Authentication early on in the project. The benefits from these two steps alone were more than worth the time and resource invested.
The benefits of deploying Zero Trust within LogRhythm have been wide ranging. Our Zero Trust model has enabled us to streamline our cybersecurity ecosystem and realise cost savings. We significantly reduced our dependency on our virtual private network (VPN) software and expect to eliminate it completely. We are also in the process of minimising and eliminating our corporate perimeter firewalls.
One challenge we faced was the lack of resources to guide us through the journey, such as budget templates and project plans. As a result we had to create many of these resources from scratch. We have now made these resources available on our website for anyone to use.
What organisational changes need to be accompanied with Zero Trust implementation?
Before starting this multi-year journey, organisations will first need to get buy-in and support from the board. This often starts with a strong business plan showing; investments and costs, proof of the potential reduction of costs and the subsequent return on investment from this strategic initiative.
Organisations need to keep in mind that retiring legacy technology will reduce costs overall, freeing up funding for the necessary new investments. Transforming your technology infrastructure can be a long, tedious process and you’ll likely operate in a hybrid Zero Trust/legacy mode for a period of time. Begin by implementing Zero Trust principles, process changes and solutions for the highest value data assets and don’t underestimate the value in small increments of progress. As we discovered, simply implementing IAM, and establishing a single source of truth for identity, is a vital step forwards and provided us with significant benefits.
Zero Trust has much to offer organisations in a highly digitalised era. By embracing this model as soon as possible, businesses can be ready to tackle future security challenges.