Lessons from US CyberWeek: The road to Zero Trust

Day four has certainly lived up to expectations with experts from the Cybersecurity & Infrastructure Security Agency (CISA), the U.S. Department of Agriculture (USDA), the U.S. Air Force, Duo Security, Okta and McAfee discussing the challenges and successes in building a Zero Trust architecture. One thing was easy to agree on: Zero Trust is not a destination. The group was unanimous that it’s an evolving process that requires upkeep and managing.

Here are some top take outs from today’s session.

Zero Trust is a journey

All speakers agree: Zero Trust is a journey not a destination. The surge of remote workers greatly influenced to acceleration in the migration to Zero Trust architecture. The focus became the “connective tissue” within the network to keep the operations going. The perimeter-free environment has created a need for the transition to cloud solutions, stronger identity management and a better understanding of how data is used. Once a gap analysis is done within an organisation, the roadmap to a Zero Trust lifestyle can be made.

One big question that needs to be addressed is, “Can legacy information systems hold up to identity access system requirements?” Data lifecycle management requires categorisation and tagging of data to grant access under the conditions prescribed. Ultimately, security is the responsibility of all, with collaboration requirements across the organisation.

Cyber security: A business enabler

Services cannot be hampered by cyber security, and user experience should be the same on-prem as it is when remote. At the end of the day, it’s the age-old story of security versus convenience. By creating an environment and/or architecture where access control security based on identity verification is baked into the culture, it will not matter if the end user is located within the facility perimeter or working remotely from anywhere in the world, on any network in the world. The goal is to ensure cyber security is a business enabler within the organisation.

The end user at the core

When it comes to creating a successful security program, the user needs to be the centre of the universe. With a strong understanding of how the user needs to behave in the environment and what the workflow looks like, policies can be created.

For example, users who are used to being able to print documents in the office may expect that same experience in the WFH environment. This need fosters policy around BYOAD – bring your own authorised device. Setting policies around which devices can be used and what standards they need to meet will help to create a secure experience for the users. At the end of the day, it’s the user experience that will determine if the program is effective.

If the user experience is unaffected by the security measures, then we removed the gates and created guardrails.

Speed bumps in the Zero Trust journey

The path to Zero Trust is not without its challenges. The strategy requires a mature environment with trusted identity management solutions and partnerships with trusted vendors. Knowing the who, what, where, when and why of data usage and workflow is essential to implementing a Zero Trust strategy. Often times, organisations are beholden to legacy systems and their capabilities. So, often organisations need to rely on things like educating employees to create a safe environment at home when working remotely. CISA’s TIC 3.0 guidance helps organisations leverage existing resources to secure their networks. This guidance helps provide situational awareness for organisations as they build out their Zero Trust program.

Identity and trust

It has been widely recognised that cloud migration is the future of ubiquitous data access. This has also increased the attack surface. Cloud adoption has also resulted in shadow IT on the rise. Although these “shadow systems” may improve productivity, they can introduce serious risk from data leaks to compliance violations because they are not implemented through the proper channels. Credential management becomes difficult when systems are being used without the knowledge of the CISO and IT/Security teams. Another challenge in identity and trust is how access is granted. Do we trust the user or the device the user is on? The objective is to federate user credential data into a single system and consolidated format (see how Daltrey do this here). This will give the CISO visibility and control over identity and trust.

Roadmap to Zero Trust

Understanding the lexicon of zero trust can be tricky and, depending on where you sit, can change the view of what Zero Trust means. No matter what perspective you take, identity, of users and devices, is critical to the implementation of a successful Zero Trust Architecture. Focus on workflow and identity will aid in making access contextual. In other words, providing the “right people” with the “proper access” to the “correct resources” for the appropriate amount of time. By putting the user experience first, removing friction and pain points from their experience, we provide them with clarity while also increasing security.

The road to Zero-Trust will be different for different organisations. But no matter what road you take, it’s going to be a heck of a ride!