Our Roundtable Sessions are invite-only events hosted by peers for peers that bring together a select group of senior IT leaders from across industries for topic-driven, intimate dialog on current trends and topics. The group met remotely to discuss where to start your zero trust journey, led by the CISO of a family of full-service real estate and financial services companies. This Session was sponsored by Palo Alto.
A zero trust architecture is one where nothing is inherently trusted inside or outside the organization. It ensures compliance with the principle of least privilege— people and applications only have the bare-minimum rights they need to do their jobs. Zero trust enables organizations to adapt to the modern security landscape, including remote workforces, hybrid infrastructures, multi-cloud deployments, and ransomware attacks. But what does zero trust mean, and how do you start your zero trust journey?
At the beginning of the discussion, different attendees shared the highest priority aspects of zero trust within their organization. An infrastructure engineer remarked that their primary area of interest is implementing zero trust without compromising user experience. A security architect mentioned that they currently have a network-centric security model, which prevents them from offering BYOD to their workforce. Their goal is to implement a zero trust model that adds flexibility to their authentication and access control policies. A CIO shared that a zero trust implementation will help them enforce granular access control. An IT manager added that their main zero trust objective is to apply modern security controls to the legacy applications in their infrastructure.
An executive explained that to them, zero trust is all about complying with the principle of least privilege. It’s about applying the required security controls to all your environments, whether on premises or in the cloud.
A participant told the audience that it’s important to get higher management on board with zero trust, at the very beginning. Explain zero trust to them in a way that resonates with them. Don’t throw technical jargon at them; instead, share the many benefits of zero trust, like data protection, reduced costs, increased productivity, etc.
It is also essential to identify the “low-hanging fruit,” which can help you get some quick wins. For example, you may start by implementing an identity management system, which enables you to enforce stronger authentication and authorization. While choosing tools for zero trust, it’s crucial to evaluate based on several factors, like business needs, interoperability with different internal applications, types of supported users (e.g., employees, customers, and vendors), and ease of use.
Multiple speakers agreed that there is a step zero in the zero trust journey. This step focuses on identifying system and user-level requirements and creating an inventory of your environment(s). For example, in step zero, you answer questions like, how many users do we have? What devices and/or applications are they using? Which applications/users are security-critical? Do we have any external users that require short-term access? What unmanaged devices exist on your network? How many environments are your applications spread across? Where does your sensitive data reside?
An attendee discussed how they look at zero trust in three ways, within their organization. The first one is users, which involves implementing identity, replacing traditional VPN, and revamping access control. The second aspect is applications, which deals with applying security best practices to applications across infrastructures. The third part is infrastructure, which focuses on securing the supply chain, unmanaged infrastructure, IoT (Internet of Things), and all the other entities and processes that are usually hard to secure.
Below are some of the drivers for zero trust that were mentioned during the discussion: