Why you Should be Applying a Zero-trust Approach to Defend your Organisation

By Phil Packman, CISO, Commercial Contracts, BT

Phil Packman, CISO, Commercial Contracts, BT

We know that attackers are constantly looking for weaknesses to exploit — and with cloud and hosted services, these gaps can lie outside your perimeter. Couple this with the vast attack vectors presented by the internet and hyper-connectivity, and the security challenge expands further.In response, organisations are increasingly taking a zero-trust approach, focusing on where the gaps are and how people might exploit them.

In a zero-trust environment you assume that all application access is potentially malicious or undesirable. Instead of trying to police all the borders and paths across your network, you create islands of applications and data that you can protect in a much more focused way.

A zero-trust mindset means you can segment and control applications in a way that provides only the functionality that’s needed, efficiently and securely.

Getting the basics right

Many organisations have flattened their networks and removed policy enforcement controls in favour of simplification and agility.Unfortunately, a large flat network, with few barriers to communication across it, makes it very easy for malware or an attacker to move around rapidly and with very little chance of detection or prevention. Recent examples of this are the well documented Wannacry and NotPetya ransomware incidents from 2017.

The zero-trust approach is a way of balancing a robust security stance with the simplification of your architecture. It requires both strategic and technical commitments, with the overall objectives of increasing the control and inspection that surrounds all your applications and data.

This includes tighter regulation of what each user can do and a more robust approach to an individual’s access rights and privileges, especially those of third parties and suppliers.The starting point for improving your access validation is putting good first principle hygiene controls in place, and building a holistic view of the roles and persona that need access to your applications.

"A zero-trust mindset means you can segment and control applications in a way that provides only the functionality that’s needed, efficiently and securely"

Start small for low-risk learning

A thorough understanding of applications and data flows is essential, as is a solid Identity and Access Management strategy. All of this must be set in the context of the business outcomes required from specific applications and who needs what level of access to them.We advise starting small when it comes to adopting a zero-trust approach. Too often, large, established organisations begin with a complex application, then struggle to achieve the necessary level of visibility around how it’s used.

By starting with a less complicated application or a less well-known service, you can learn in a way that doesn’t impact the business but still provides repeatable and reusable controls and experience.

CIO and CISO collaboration is essential to zero-trust success

As the reach of IT extends, and visibility and control become more limited, CIOs and CISOs need to unite to defend their organisations. IT security has shot up the list of priorities for most business leaders, making security threats a significant consideration in many board-level risk models.

The zero-trust approach to enterprise architecture requires ongoing effort from both departments. By working together to create a more effective, strategic and focused approach, they can minimise data breaches and improve the organisation’s ability to contain and defend against cyberthreats.

Read Also

The Case for a Holistic Approach to Resiliency in Next-Gen Telecommunications Networks

The Case for a Holistic Approach to Resiliency in Next-Gen...

Robert Novo, Service Delivery Director - Voice Communications, Americas, BT
Artificial Intelligence and Big Data in the Telecoms Industry

Artificial Intelligence and Big Data in the Telecoms Industry

Dr. Richard Benjamins, Data & AI Ambassador, Telefónica, LUCA
Wireless Infrastructure for Industrial Applications

Wireless Infrastructure for Industrial Applications

Bob Karschnia, VP of Wireless, Emerson Automation Solutions
The Next 10 Years in Wireless: A Vision for Enterprise Cellular

The Next 10 Years in Wireless: A Vision for Enterprise Cellular

Mike Fitton, Wireless Business Unit Director, Altera
Wireless First for Microsoft Employees

Wireless First for Microsoft Employees

Brent Hermanson, Principal Manager, Microsoft [NASDAQ:MSFT]
Importance of Building an Automated and Secure Networking Infrastructure

Importance of Building an Automated and Secure Networking...

Jean Turgeon, VP & Chief Technologist, Avaya