The shift to zero trust
The future of organisations will be built on the ability to work securely from anywhere, using any device at any time. This was made clear during the COVID-19 pandemic, which forced millions of workers to work from home using company-owned or personal devices. As the velocity and persistence of cybersecurity attacks increase daily and digital transformation continues to be a priority for businesses, the concept of “zero trust” has quickly shifted to the forefront. We view the shift to a zero-trust architecture as essential to continue enhancing the security posture of an organisation’s data, identity, network, workloads and endpoints.
- Commit to a zero-trust strategy — ZTA requires commitment at the highest levels of leadership across multiple lines of business to be successful.
- Assess the current project roadmap — Organizations should identify and understand the current and future security projects in the pipeline so they can potentially be aligned to achieve ZT principles.
- Identify and map data — It is critical to identify sensitive data and gain a deep understanding of where sensitive data is stored, processed and transmitted. Further, the flows of sensitive enterprise data should be mapped to effectively describe the boundaries of ZT core elements (e.g., workload, data, etc.).
- Develop or update security policies and standards — Security policies and standards should be updated to accommodate for changes made to enterprise resources based on ZT principles.
- Design the future network — Organisations should architect micro-segmentation by logically creating network segments that are used to control traffic within and between the segments. This method is used to restrict the spread of lateral threats and focuses on the development of granular policies based on a data-centric approach.
- Implement identity governance and administration (IGA) — A robust IGA programme should be developed that emphasises meaningful preventive and detective controls over who has access to what.
- Strengthen access management approach — Organisations should embrace multi-factor authentication and make adaptive and contingent decisions based on the right user having access to the right resources at the right time.
- Implement monitoring and visualisation tools — It is important to continuously monitor the ZT ecosystem by expanding the use of existing technologies or implementing recent technologies to gain visibility into the security of ZT core elements.
- Embrace security automation and orchestration — Information from corporate resources should be gathered to enable development of visualisations and expand the use of automation and orchestration to create feedback loops and scoring models.
- Be patient — The zero-trust methodology represents a journey and will take a few years to expand across the entire network and associated components.
As the paradigm shift to zero trust occurs and companies continue their digital transformation journey, Protiviti can assist organisations at every stage, providing industry leading expertise to help achieve a more secure and robust security posture. Our services to help organisations implement a zero-trust methodology include:
- Prepare a zero-trust strategy. Our design thinking workshops can help organisations develop and communicate a ZTA strategy, including creation of the artifacts needed to socialise with staff, executives and the board of directors.
- Assess an organisation’s readiness to move towards a zero-trust architecture from existing governance artifacts to existing technology investments. Protiviti can help organisations determine capability gaps, then develop a roadmap for the deployment of zero trust architecture components over time. Zero trust is an evolution of existing architecture and does not have to occur in a “big bang” moment.
- Perform an identity and access management (IAM) assessment of the environment to assess gaps and build a roadmap to have an IAM programme that aligns with a ZTA.
- Perform a data assessment to discover where the organisation’s most critical data is located and how it is used within the environment, using automated tooling to assist in data discovery efforts that span across structured and unstructured data.
- Conduct readiness workshops with an organisation’s infrastructure, operations, business and security teams to build buy-in and establish the foundation for implementing a zero-trust architecture.
- Connect organisations with leading vendors in identity, network and managed security services to speed up and simplify implementation.