Earlier this month, I had the opportunity to join one of my Insight CDCT colleagues, Chris Maritato
, for a virtual roundtable led by CIO.com
and moderated by BizTechReports’ Editorial Director Lane Cooper
. The discussion was a fruitful one and focused on the issues driving the adoption of Zero Trust principles across today’s increasingly complex enterprise compute environment.
As a follow-up to this event, I’ve answered some additional questions surrounding Zero Trust: what organizations need to know about Zero Trust now — and in the future. I hope you find it interesting.
If you take away one thing from this conversation, it is this: Zero Trust is not obtained through a product or solution. It is a framework for securing an environment and should be considered a strategic approach to reducing risk to enable the business to operate securely.
The virtual roundtable was all about issues that are driving the adoption of Zero Trust. In your own words, what do you think are the top issues and benefits in the following areas?
One of the key issues with a traditional approach to security is complexity. With the ongoing pandemic and the new normal of working remotely, Zero Trust can provide IT and security teams with control and visibility over users, devices, access level, and ongoing activity. When understood and implemented correctly, Zero Trust can reduce complexity and resource fatigue — two main factors in risk to operations.
Adopting a Zero Trust approach can seem daunting initially due to perceptions around the cost to rearchitect and design. However, organizations can see the long-term benefits clearly through the reduction of point solutions, centralized security policy management, and the use of behavioral analytics to assist in the constant evaluation of user and device risk to the business. Zero Trust provides a focused security solution environment and reduced resource activity to manage the constant barrage of alerts and potential incidents that security professionals deal with daily.
In the virtual roundtable, the participants discussed how enterprise security/technology executives deal with accelerating complexity. What is your advice for anyone in these roles dealing with this change?
One of the most important aspects of a well-architected Zero Trust framework is a simple, centralized policy management. The more complex an environment is, the more likely something is missed — thus introducing risk. Technology that supports Zero Trust should integrate well with other technologies, support Machine Learning (ML) and user behavior analytics, offer continuous activity monitoring, and allow for automated remediation measures.
There are thousands of security solutions on the market today. Many are very good at what they do, but they often focus on a specific problem. Unless you’re a large Fortune 500 company, you likely do not have the team of security professionals big enough to handle the complexity that this invites.
As such, we recommend an approach that focuses on consolidation, integration, and consistency as opposed to the “best of breed” in each security domain. A solution in which the disparate parts work better together is more effective than one in which the parts work great but cannot communicate with the whole.
How do you bring Zero Trust security to life in today’s constantly changing environment? And how can senior leadership support the initiative?
It will be different for every company, but the foundational principles have been articulated well by Microsoft:
- Verify explicitly
- Use least privileged access
- Assume breach
Security should always start at the top — and Zero Trust is no different. Any initiative needs executive buy-in for success. If it is architected properly with input from all affected parties, a Zero Trust framework will serve the business as a proactive measure to ensure minimal business disruptions from attackers.
Zero Trust now — and in the future
There are types of emerging technologies that can help support a Zero Trust security initiative. These include modern cloud solutions that enable scalability, end-user behavior analytics, and consolidation and correlation of alerts from disparate security solutions.
Additionally, enterprises can take steps in the right direction to protect their modern digital environments: reduce legacy technical debt and take advantage of cloud stability, scalability, and the shared responsibility that major cloud providers like Microsoft, AWS, and GCP can provide.