Guiding leaders to greatness

SecurityData privacyOperational agilityTrustWorking practices

Misconceptions Around Zero Trust

There are misconceptions around Zero Trust, as businesses may be fearful of a perceived need to completely rebuild their security architecture, but all it takes is a step-by-step approach. What is the journey to making the security of your business airtight?

20 June 2022 • 4 min read

It’s been said repeatedly: Zero Trust is a journey. The core concepts of the Zero Trust strategy have circulated in the cybersecurity field for decades. Still, until the National Institute of Standards and Technology (NIST) released SP 800-207, there hadn’t been an architecture around which to build. It was Forrester analyst John Kindervag who initially coined the term years ago and in the words of another Forrester analyst: Zero Trust is not one product or platform; it’s a security framework built around the concept of ‘never trust, always verify’ and ‘assuming breach.’ Attempting to buy Zero Trust as a product sets organizations up for failure.

Zero Trust is a mindset, an approach, a way of viewing cybersecurity. It’s a view that’s taken on greater and greater importance.

Zero Trust isn’t a technology or even a fully codified framework: Zero Trust is a mindset, an approach, a way of viewing cybersecurity. But as the world has changed in the last few years, it’s a view that’s taken on greater and greater importance – and global enterprises like NTT DATA recognize that.

“The legacy idea of workers and workloads somehow being more secure just because they are sitting in some brick-and-mortar location was flawed, to begin with,” says Steve Williams, Enterprise CISO (Chief Information Security Officer) for NTT DATA Services. “But that model has been thoroughly destroyed by today’s business reality, which requires workers to be productive from anywhere, at any time, on any device.” He adds, “To either gain or maintain a seat at the proverbial table, CISOs must look to Zero Trust as the means to not only secure their business but also continue earning the trust of their clients/customers.”

With any major undertaking such as this, you need a shared vision and leadership buy-in across all regions and business units. For a large global enterprise like NTT DATA, that means synchronizing multiple CISOs and many regulatory and compliance regimes.

Here is the story of how NTT DATA began our migration from traditional, perimeter-based security to a Zero Trust architecture.

The start of NTT DATA’s Zero Trust journey

NTT DATA started its journey nearly two years before the pandemic. “In 2018, it was rarified air to find vendors who were committed to building products that could be fully leveraged in a Zero Trust ecosystem,” says Williams. “Even today, Zero Trust remains more of a marketing term than an actual product or practice for many security companies. Fortunately, we’ve been able to find partners and solutions that have worked well for us and – most important – were willing to collaborate in the continuing journey towards Zero Trust.”

“NTT DATA is growing continually, and a significant part of that growth comes through mergers and acquisitions,” says Hiroshi Honjo, Head of Cyber Security and Governance at NTT DATA’s Technology and Innovation General Headquarters in Tokyo. “We had a very frank discussion with the board early on, and our position was that the only way we can consistently grow globally and stay secure is through a Zero Trust architecture.”

Any organization’s security is only as strong as its weakest links. For an organization like NTT DATA, spanning the globe with so much growth driven by M&A, there are plenty of links to examine. We recognized that we needed a common approach, framework and toolset to secure ourselves globally. We standardized on the NIST CSF and used a Zero Trust framework, paying particular attention to SP 800-207.

“There was some debate, of course,” says Honjo-san. “Changing from a traditional security architecture to Zero Trust requires significant investment, and the board wanted to see the justification for those costs. But the board ultimately recognized that NTT DATA needs to have security at the highest level globally while still having flexibility – and those were the factors that eventually swayed the board: Zero Trust allowed us to keep the utmost security while having the flexibility to react.”

Understanding the user experience

Zero Trust needs a fundamental shift in how work is performed and how workflows are handled, so we felt it was imperative to chart our journey with the User Experience (UX) at the core. Security of any kind is most successful when it integrates with how users want to perform their duties, rather than forcing them to do something different or new. When security forces users to adopt more difficult or more time-consuming workflows, problems inevitably arise.

We all think ‘that won’t happen to me’ when we’re watching news stories about major breaches.

“Given the choice between convenience or security, people will choose convenience 99 times out of 100,” says Williams. “That’s not because people are lazy or evil. Rather, people are predisposed towards what psychologists call an optimism bias – the belief that you are less likely to experience some negative impact or event. We all think ‘that won’t happen to me’ when we’re watching news stories about major breaches.”

We had to design our Zero Trust architecture so that the most secure way to do things was also the most convenient. There’s often a disconnect between what technologists envision people doing and what people end up doing.

A classic metaphor for this behavior can be seen every day on campuses worldwide. Brilliant architects designed concrete walkways between buildings that they believed to be the best or desirable paths, yet simply looking at the dirt trails worn through the quads shows how people naturally want to move. These are often referred to as desire paths.

Williams sees this as a challenge rather than an obstacle. “The successful CISO will embrace this disconnect and challenge themselves to use this pandemic-induced opportunity for a hybrid work environment to provide security around those natural paths wherever possible.”

A culture of continual improvement

Markus Künzler, EMEA CISO at NTT DATA EMEA Ltd, says that NTT DATA’s global security leaders have not only embraced this challenge but pushed each other to find new ways to meet it. “There has always been a spirit of cooperation globally when it comes to security, but I would say that it’s gone a step further now,” says Künzler. “Now it’s almost a friendly competition among us, all of us trying to find innovative ideas and new techniques and new ways to meet the challenges we’re facing. There’s a real spirit of the global community when it comes to NTT DATA’s Zero Trust program.”

“Our clients trust NTT DATA to be the trusted global innovator,” says Honjo-san. “And security has to be central to that. So as global CISOs, we have to communicate regularly, talk with each other about the challenges we’re facing, the risks we’re trying to mitigate, and the solutions that have worked for us. NTT DATA has incredible people and cutting-edge technologies at our disposal; it’s our job to ensure that we help build and maintain a culture that allows everything to flourish.”

 

This is the first in a two-part series on NTT DATA’s Zero Trust journey. See here for the second part.

Data privacyOperational agilitySecurityTrustWorking practices

Discover more in

Security