Illumio's Field CTO, Raghu Nandakumara, talks to Cyber Magazine about Zero Trust security.
The most majestic and flawless structures in our world are admired by strangers every day. But it’s easy to forget that such intricate and complex masterpieces were not created in days – more like hundreds, even thousands, of years.
For businesses looking to adopt a Zero Trust policy, the same fundamentals apply. Of course, the time scale is much shorter, and the intricacies are far more minimal, but the message is there: impactful projects designed to revolutionise a business should not be undertaken as one massive task.
The Zero Trust model provides assurances that only verified identities can access critical networks, apps, systems and data. A common misconception is that to adopt Zero Trust, everything must be done at once. But this involves trying to overhaul many, if not the entire, security system, which is not a practical task. No organisation, regardless of skills and resource, can achieve this. An agile approach is needed, not a binary state of all or nothing. Above all else, Zero Trust is a continuously evolving journey towards a better security approach, based on the principle of least privilege.
Separating fact from fiction
As well as believing that Zero Trust requires an all or nothing approach – including allocating a huge team of people and an unlimited amount of resources and time to make it happen – there are several other misconceptions that discourage businesses from embarking on their Zero Trust journey. Whilst all are valid concerns, they can be easily addressed.
There is no such thing as perfection, yet some teams will hit the brakes before they have even begun because they don’t have what they consider to be perfect metadata. Firstly, no organisation has perfect metadata, as they’re always going through a process of sanitising data and making it more useful. Instead, businesses need to look at what metadata they currently have, as this is an insight into what can realistically be achieved.
In terms of technology, the process does not require shiny new equipment with a Zero Trust label. Zero Trust is a concept, not a product, and certainly is not something that you can just plug-in and then tick the checkbox marked ‘Done’. Instead, organisations should look at what can realistically be done today. For example, every business has a directory service, such as Active Directory, from which permissions are assigned to roles. Permissions should be granted based on least privilege, so individuals only have the access needed for their role. However, reviewing and re-allocating everything would have previously been an arduous task that required great amounts of time and effort.
Now though, with automation by our side, this process ought to be far more achievable. Machines can assess and audit all permissions and scale them down, and if a user needs an additional permission, then they can put in a request which is automatically revoked as soon as the task is completed. Once businesses move past a reasonably small scale, automation becomes a fundamental need – a fact that some people are yet to realise.
IT teams are also often concerned about making changes in brownfield environments when there are ongoing production applications that cannot be disrupted. However, it’s important to reiterate that making small, well planned, well tested changes in these areas will not lead to significant disturbance. Teams do not have to complete an overhaul of all systems at one time to implement Zero Trust. They just need to take one small, carefully thought out step at a time.
What’s most important?
Adopting Zero Trust is a process of continuous improvement. While there are many steps to be taken, they should not be tackled all at once. Instead, organisations should take the iterative approach and regularly evaluate their position based on the actions taken so far. Any problems coming over the horizon should be acknowledged and addressed before further proceeding.
For example, let’s consider the process for introducing a micro-segmentation policy, with the aim of ring-fencing applications individually. It would be a gargantuan task to try and tackle all applications at the same time, so this is when we break it down. The priority could be to ensure production and non-production estates cannot talk to each other. If one environment is struck by a cyber attack, the other should remain completely isolated.
At the head of most technological projects, including Zero Trust, is return on investment (ROI). The all-important question is: what is going to give the biggest risk reduction for the lowest cost? Whatever decision is made, teams must be able to effectively communicate their plans to the C-Suite level, as well as demonstrate tangible benefits from the money being spent. By breaking the process down into small steps, teams can course correct at any point along the journey.
Incremental progress = security improvement
Adopting Zero Trust does not need an in-depth, exacting roadmap that has every minute detail planned out. It’s unlikely the Romans planned the construction of the city down to the individual bricks. So, whilst it’s important to have an outline of the direction being taken, segmenting the process down into manageable bitesize chunks will help organisations stay on top of everything. Teams should also regularly assess the risk and reward ratio. Every organisation will have places where their risk is low, and so further investment wouldn’t provide tangible security benefits. This all feeds back into the message that not everything has to be tackled at once; invest in the areas of security that will give you sufficient return on investment in the most efficient time.
Zero Trust and least privilege are not new concepts. So, above all else, organisations should not be afraid to take their first steps in the Zero Trust journey. As long as any concerns remain rational, feeling overwhelmed is natural in the face of a security systems switch up. Taking the time to break down your existing systems and identify those areas that are a top priority is the first stage. Continuing to progress one step at a time is the key to ensuring a smooth and successful transition, and ultimately, a more secure organisation.