Why you Should be Applying a Zero-trust Approach to Defend your Organisation

By Phil Packman, CISO, Commercial Contracts, BT

Phil Packman, CISO, Commercial Contracts, BT

We know that attackers are constantly looking for weaknesses to exploit — and with cloud and hosted services, these gaps can lie outside your perimeter. Couple this with the vast attack vectors presented by the internet and hyper-connectivity, and the security challenge expands further.In response, organisations are increasingly taking a zero-trust approach, focusing on where the gaps are and how people might exploit them.

In a zero-trust environment you assume that all application access is potentially malicious or undesirable. Instead of trying to police all the borders and paths across your network, you create islands of applications and data that you can protect in a much more focused way.

A zero-trust mindset means you can segment and control applications in a way that provides only the functionality that’s needed, efficiently and securely.

Getting the basics right

Many organisations have flattened their networks and removed policy enforcement controls in favour of simplification and agility.Unfortunately, a large flat network, with few barriers to communication across it, makes it very easy for malware or an attacker to move around rapidly and with very little chance of detection or prevention. Recent examples of this are the well documented Wannacry and NotPetya ransomware incidents from 2017.

The zero-trust approach is a way of balancing a robust security stance with the simplification of your architecture. It requires both strategic and technical commitments, with the overall objectives of increasing the control and inspection that surrounds all your applications and data.

This includes tighter regulation of what each user can do and a more robust approach to an individual’s access rights and privileges, especially those of third parties and suppliers.The starting point for improving your access validation is putting good first principle hygiene controls in place, and building a holistic view of the roles and persona that need access to your applications.

"A zero-trust mindset means you can segment and control applications in a way that provides only the functionality that’s needed, efficiently and securely"

Start small for low-risk learning

A thorough understanding of applications and data flows is essential, as is a solid Identity and Access Management strategy. All of this must be set in the context of the business outcomes required from specific applications and who needs what level of access to them.We advise starting small when it comes to adopting a zero-trust approach. Too often, large, established organisations begin with a complex application, then struggle to achieve the necessary level of visibility around how it’s used.

By starting with a less complicated application or a less well-known service, you can learn in a way that doesn’t impact the business but still provides repeatable and reusable controls and experience.

CIO and CISO collaboration is essential to zero-trust success

As the reach of IT extends, and visibility and control become more limited, CIOs and CISOs need to unite to defend their organisations. IT security has shot up the list of priorities for most business leaders, making security threats a significant consideration in many board-level risk models.

The zero-trust approach to enterprise architecture requires ongoing effort from both departments. By working together to create a more effective, strategic and focused approach, they can minimise data breaches and improve the organisation’s ability to contain and defend against cyberthreats.

Read Also

Five Enterprise IT Security Stats That May Surprise You

Five Enterprise IT Security Stats That May Surprise You

Mark Birmingham, Director, Global Product Marketing, Kaspersky Lab
Identifying And Remediating IT Security Vulnerabilities

Identifying And Remediating IT Security Vulnerabilities

Benjamin Caudill, CEO, Rhino Security Labs
Information Security: Your People, Your First Line of Defense

Information Security: Your People, Your First Line of Defense

Eddie Borrero, CISO, Robert Half [NYSE:RHI]
Managed Print Services: Your Secret Defense Against Internet Security Threats

Managed Print Services: Your Secret Defense Against Internet Security Threats

Tim O'Shea, Director MPS Business Development, Oki Data Americas, Inc.