Our IT Executive Roundtables are invite-only events hosted by peers for peers that bring together a select group of senior IT leaders from across industries for topic-driven, intimate dialog on current trends and topics. The group met remotely to discuss how to implement a zero trust security model, led by the CTO & CIO/CISO of a leading provider of integrated software, assessment, and analytics solution. This Session was sponsored by Okta.
Zero trust is a security approach requiring all network entities, whether external or internal, to be authenticated, authorized, and repeatedly validated. A true zero trust implementation trusts no one by default and enforces the principle of least privilege across the organization. Due to the unprecedented rise in cyberattacks each year, we see more organizations interested in zero trust. But what does it take to start and progress on the zero trust journey?
At the start of the discussion, attendees were asked to share the first steps in their zero-trust journeys. A CISO said that their first step was implementing MFA. A senior executive mentioned that they kicked off their journey by enforcing stricter access and security controls on everything inside their firewalls. One executive remarked that getting hit with ransomware instigated their efforts to achieve zero trust. The rest of the attendees were mainly figuring out efficient ways to enforce zero trust policies without hampering efficiency and usability.
A participant told the audience that their company has multiple product lines, hence multiple entry points to their network, and they can’t secure all of them without zero trust. Zero trust enables them to implement network segmentation and apply different security controls for each product line. This way, a breach in one product line doesn’t propagate to the rest, and they avoid having a single point of failure.
A contributor from the education industry added that the threat of ransomware shutting down schools forced them to be more security-centric. They used to be a trusting group that would let everyone do everything, but now they have started implementing MFA and more fine-grained access control. They are experiencing a cultural shift in the education industry, with people paying more and more attention to security.
It’s essential to create an architecture resilient to both external and internal threats. Zero trust dictates that you can’t trust anyone by default— not even your employees. Everyone must verify their identities before their devices can connect to the internal network. A piece of malware on an unaware employee’s device shouldn’t be allowed to infiltrate the network. Similarly, strong privileged access management and identity lifecycle administration must be enforced to prevent rogue employees from causing damage.
An attendee mentioned how important it is to treat cybersecurity roadmaps with the same vigor we treat all our other product roadmaps. If you can get your board and high management aligned with the roadmap at the beginning, it can pave the way for change. Clearly establish the objectives of zero-trust and ensure maximum visibility towards your progress. With that said, you should also be prepared to deal with the challenges. For example, you may face resistance upon revoking admin rights from people and giving them more granular privileges.
Having a good DevOps program can also catalyze zero trust implementation. DevOps processes can provide developers with the crucial tools and pipelines for shifting left. They can also allow you to apply security policies across the network.
Additionally, it’s virtually impossible to achieve zero trust without hiring subject-matter experts. You need a partner with good security firms or hire in-house engineers with hands-on experience.
A speaker said to the audience that zero trust is much more than just technology. “You can’t just buy some tools, throw them at the wall, and see what sticks.” You also have to develop a strategy, educate your people, and define processes to achieve true zero-trust. Moreover, not every good tool will work for your organization. Before making an investment, make sure to evaluate your operational needs and architectural compatibility.
A participant claimed that most zero trust journeys will be built around identity in the next few years. Identity management systems allow you to create different user groups, define granular access policies, and streamline organization-wide authentication. We can expect them to mature even more in the coming years. Another executive shared how they are trying to build a threat management program, which focuses on aggregating and analyzing threat data to prioritize vulnerabilities and threats.
Multi-factor authentication (MFA) and one-time-passwords (OTPs) are being used to verify identities, some argue, at the cost of customer convenience. So how do you implement security controls for your customers without asking them to do too much?