There are misconceptions around Zero Trust, as businesses may be fearful of a perceived need to completely rebuild their security architecture, but all it takes is a step-by-step approach. What is the journey to making the security of your business airtight?
20 June 2022 • 4 min read
It’s been said repeatedly: Zero Trust is a journey. The core concepts of the Zero Trust strategy have circulated in the cybersecurity field for decades. Still, until the National Institute of Standards and Technology (NIST) released SP 800-207, there hadn’t been an architecture around which to build. It was Forrester analyst John Kindervag who initially coined the term years ago and in the words of another Forrester analyst: Zero Trust is not one product or platform; it’s a security framework built around the concept of ‘never trust, always verify’ and ‘assuming breach.’ Attempting to buy Zero Trust as a product sets organizations up for failure.
Zero Trust is a mindset, an approach, a way of viewing cybersecurity. It’s a view that’s taken on greater and greater importance.
Zero Trust isn’t a technology or even a fully codified framework: Zero Trust is a mindset, an approach, a way of viewing cybersecurity. But as the world has changed in the last few years, it’s a view that’s taken on greater and greater importance – and global enterprises like NTT DATA recognize that.
“The legacy idea of workers and workloads somehow being more secure just because they are sitting in some brick-and-mortar location was flawed, to begin with,” says Steve Williams, Enterprise CISO (Chief Information Security Officer) for NTT DATA Services. “But that model has been thoroughly destroyed by today’s business reality, which requires workers to be productive from anywhere, at any time, on any device.” He adds, “To either gain or maintain a seat at the proverbial table, CISOs must look to Zero Trust as the means to not only secure their business but also continue earning the trust of their clients/customers.”
With any major undertaking such as this, you need a shared vision and leadership buy-in across all regions and business units. For a large global enterprise like NTT DATA, that means synchronizing multiple CISOs and many regulatory and compliance regimes.
Here is the story of how NTT DATA began our migration from traditional, perimeter-based security to a Zero Trust architecture.
NTT DATA started its journey nearly two years before the pandemic. “In 2018, it was rarified air to find vendors who were committed to building products that could be fully leveraged in a Zero Trust ecosystem,” says Williams. “Even today, Zero Trust remains more of a marketing term than an actual product or practice for many security companies. Fortunately, we’ve been able to find partners and solutions that have worked well for us and – most important – were willing to collaborate in the continuing journey towards Zero Trust.”
“NTT DATA is growing continually, and a significant part of that growth comes through mergers and acquisitions,” says Hiroshi Honjo, Head of Cyber Security and Governance at NTT DATA’s Technology and Innovation General Headquarters in Tokyo. “We had a very frank discussion with the board early on, and our position was that the only way we can consistently grow globally and stay secure is through a Zero Trust architecture.”
Any organization’s security is only as strong as its weakest links. For an organization like NTT DATA, spanning the globe with so much growth driven by M&A, there are plenty of links to examine. We recognized that we needed a common approach, framework and toolset to secure ourselves globally. We standardized on the NIST CSF and used a Zero Trust framework, paying particular attention to SP 800-207.
“There was some debate, of course,” says Honjo-san. “Changing from a traditional security architecture to Zero Trust requires significant investment, and the board wanted to see the justification for those costs. But the board ultimately recognized that NTT DATA needs to have security at the highest level globally while still having flexibility – and those were the factors that eventually swayed the board: Zero Trust allowed us to keep the utmost security while having the flexibility to react.”
Zero Trust needs a fundamental shift in how work is performed and how workflows are handled, so we felt it was imperative to chart our journey with the User Experience (UX) at the core. Security of any kind is most successful when it integrates with how users want to perform their duties, rather than forcing them to do something different or new. When security forces users to adopt more difficult or more time-consuming workflows, problems inevitably arise.
We all think ‘that won’t happen to me’ when we’re watching news stories about major breaches.
“Given the choice between convenience or security, people will choose convenience 99 times out of 100,” says Williams. “That’s not because people are lazy or evil. Rather, people are predisposed towards what psychologists call an optimism bias – the belief that you are less likely to experience some negative impact or event. We all think ‘that won’t happen to me’ when we’re watching news stories about major breaches.”
We had to design our Zero Trust architecture so that the most secure way to do things was also the most convenient. There’s often a disconnect between what technologists envision people doing and what people end up doing.
A classic metaphor for this behavior can be seen every day on campuses worldwide. Brilliant architects designed concrete walkways between buildings that they believed to be the best or desirable paths, yet simply looking at the dirt trails worn through the quads shows how people naturally want to move. These are often referred to as desire paths.
Williams sees this as a challenge rather than an obstacle. “The successful CISO will embrace this disconnect and challenge themselves to use this pandemic-induced opportunity for a hybrid work environment to provide security around those natural paths wherever possible.”
Markus Künzler, EMEA CISO at NTT DATA EMEA Ltd, says that NTT DATA’s global security leaders have not only embraced this challenge but pushed each other to find new ways to meet it. “There has always been a spirit of cooperation globally when it comes to security, but I would say that it’s gone a step further now,” says Künzler. “Now it’s almost a friendly competition among us, all of us trying to find innovative ideas and new techniques and new ways to meet the challenges we’re facing. There’s a real spirit of the global community when it comes to NTT DATA’s Zero Trust program.”
“Our clients trust NTT DATA to be the trusted global innovator,” says Honjo-san. “And security has to be central to that. So as global CISOs, we have to communicate regularly, talk with each other about the challenges we’re facing, the risks we’re trying to mitigate, and the solutions that have worked for us. NTT DATA has incredible people and cutting-edge technologies at our disposal; it’s our job to ensure that we help build and maintain a culture that allows everything to flourish.”
This is the first in a two-part series on NTT DATA’s Zero Trust journey. See here for the second part.
Discover more inSecurity
In a hyperconnected world, cybersecurity is a vital part of protecting both corporate reputation and the safety of employees. While IT departments might be responsible for putting systems in place, it takes every employee from the C-suite down to ensure those systems remain intact.
16 August 2022 • 4min read
Does today’s need for cyber vigilance conflict with the move towards organisational intelligence and its need to share data? We believe the opposite is true – robust cybersecurity can be a powerful enabler of progress.
01 February 2022 • 3min read
Ignore digital trust at your peril. Customers are talking with their feet, cutting ties with brands that display poor data security. The essential ingredient, in this age of digitization and mass data collection, is unwaveringly strong cybersecurity.
20 July 2022 • 4min read
Education is not just a fundamental right for everyone: it’s also a pathway to a better quality of life, playing an instrumental role in attaining many of the UN’s Sustainable Development Goals. Through sharing skills such as cybersecurity, businesses can spread knowledge and help to shape more resilient, informed future global citizens.
01 September 2021 • 4min read
As supply chains have steadily grown in sophistication and complexity, the accompanying risks have also increased – and as we’ve seen in recent years, disruptions can have far-reaching consequences. Effective third party vendor risk management and harnessing technology are both crucial in streamlining and strengthening global supply chains. But where should leaders start?
30 March 2023 • 4min read
The different needs of cybersecurity continue to evolve, in the same way that businesses must adapt and respond to these cybersecurity risks and challenges. Partnerships are just one of the many ways in which businesses can protect themselves and move with the times.
20 June 2022 • 4min read
Creating effective cybersecurity systems is about so much more than understanding your vulnerabilities and putting measures in place to mitigate them. It begins with understanding what has made human beings feel safe in the past, and using those lessons and behaviors to build an electronic world they can trust.
15 August 2022 • 5min read
Strict ID checks become increasingly imperative in our rapidly evolving digital landscape, but sometimes they can be arduous. How can companies protect themselves and their customers from cyber risk while ensuring their processes are convenient, effective and user friendly?
22 June 2022 • 4min read
The zero trust journey is all about taking measures to assure your business security at every level. While it sounds complex, it is more simple than it seems, and is worth every effort to ensure that access to data is only granted to those who have sufficiently proved their identity at every stage necessary.
13 June 2022 • 4min read
As our digital abilities become increasingly sophisticated, our cybersecurity measures develop at the same pace that a cybercriminal’s savviness also can. Businesses must continue to take the right measures to protect their futures with the developments of remote access and other digitization efforts.
22 June 2022 • 5min read
Whatever the trigger, significant technological and other business changes should never damage your customers’ trust in you. This means keeping their personal data safe. In fact, done well, data protection ought to increase confidence in your business. How to get there? It starts, as with many things, with a detailed understanding of the challenges and strong governance around the solutions.
20 June 2022 • 4min read
Companies that want to differentiate themselves will have to take a long, hard look at their practices around safeguarding customer data. Practices need to comply with the relevant laws, of course, but they also need to be rooted in ethics. Risk governance technologies make it easier than ever before for companies to be both compliant and ethical – and prove to customers they can be trusted.
20 July 2022 • 4min read
Covid has accelerated the trend towards “digitally-oriented” consumers. Companies in the media sector must be ready to seize the opportunities linked to this evolution, investing in key areas including security, data and blockchain. This will be crucial for companies in the media sector to survive in a hyper-competitive and fragmented market.
01 June 2021 • 4min read
In a world where skepticism and misinformation have now become the default, trust has become the new currency for business. And those companies that know how to spend it well can create a competitive advantage by making sure that their actions speak louder than words.
20 June 2022 • 7min read
Zero trust is a necessary evolution for businesses to be cyber secure in our digital modern landscape. To eliminate cyber risk and threats, businesses can implement a zero trust approach to protect data and systems every step of the way.
20 June 2022 • 3min read
New and evolving technology landscapes need evenly-matched cybersecurity: as new opportunities arise through digital tools, so too do new risks. Using a framework such as Zero Trust – which assumes every entity attempting to access the system or network may have malicious intent and therefore, as a default, should not be trusted – provides the visibility and controls needed for modern businesses to protect themselves and their customers.
19 July 2022 • 1min read