Our IT Executive Roundtables are invite-only events hosted by peers for peers that bring together a select group of senior IT leaders from across industries for topic-driven, intimate dialog on current trends and topics. The group met remotely to discuss how to implement zero trust architecture led by the VP & CISO of a leading Hospitality company. This Session was sponsored by Cloudfare.
Zero trust is a security model that improves your security posture and reduces your attack surface. It requires you to eliminate implicit trust and authenticate digital identities every step of the way. In the last few years, it has evolved from a security buzzword into an umbrella term that encompasses several ways of protecting your assets from unauthorized access. How do you go about achieving zero trust? What does “achieving zero trust” even mean?
At the start of the discussion, attendees talked about the biggest drivers of their respective zero-trust journeys.
During the early days of zero trust, getting the buy-in from the C-suite was a huge implementation obstacle. These days it’s much easier, owing to the rising number of public cyberattacks. The inceptive implementations of zero trust focused on network segmentation and making everything identity-based. Today, zero trust encompasses a lot more. Modern zero trust implementations enforce a mobile perimeter model, which secures the workforce, workplace, and work processes. They allow you to use identity as a control mechanism to determine who can access what, under which circumstances.
An attendee declared that zero trust is a journey, not a destination. You should begin by implementing identity and access management (IAM) and defining fine-grained access policies for everyone. Another attendee commented that you should start by getting some quick and easy wins, and then find change advocates who can spread your vision across the company. The length of a zero trust journey depends on the size of your company and its attack surface. For smaller companies, it may be a short journey; for larger ones, with legacy systems, it may be a multi-year process. Having clearly defined end-goals enables everyone to stay aligned. E.g. you may have an end goal to stop using VPN, or to implement identity lifecycle management.
An executive mentioned that legacy applications pose the greatest challenges while implementing zero trust. It’s hard to integrate modern tools with legacy applications that run outdated protocols and tech stacks. It can also be difficult to enforce restrictive access policies across different functional units, without causing downtime. Another challenge is tackling change resistance and convincing people to take a radically different approach to security.
Multiple participants agreed that zero trust is an abstract idea, which can mean different things for different organizations. It’s important to understand what zero trust means to you, not what it means universally. This will allow you to articulate what you need to be working towards. E.g. you may want to achieve zero trust to have contextual awareness of your digital identities. Or to generate temporary access credentials for different use-cases. Or to have granular visibility of all your cloud assets.