The zero trust journey is all about taking measures to assure your business security at every level. While it sounds complex, it is more simple than it seems, and is worth every effort to ensure that access to data is only granted to those who have sufficiently proved their identity at every stage necessary.
13 June 2022 • 4 min read
This is the second in a two-part series on NTT DATA’s Zero Trust journey. Read part one here.
Once we’d evaluated our own needs and strategy, and we’d gone through the arduous task of finding vendors who could meet those needs, our Zero Trust path got much smoother. Our journey started with the ‘new perimeter’: identity. We set out to ensure that the right users always have access to systems they need when they need it – while keeping everyone else out.
We started our Zero Trust journey with identity. We implemented robust Identity and Access Management (IAM), including identity management workflows, role mining/defining, single sign-on (SSO), and multi-factor authentication (MFA). We then leveraged identity data about systems and users from a diverse range of sources within our ecosystem.
The decision around access should reflect the confidence we have that this is a trusted user, and that the level of assurance increases as the perceived risk increases.
The data integrates with various endpoints to ensure only the right people gain access. The move is to use a risk-based approach to granting access. If an account has been compromised – or if a user is connecting from a non-corporate device – then the decision around access (and the level of assurance needed to grant access) should reflect the confidence we have that this is a trusted user, and that the level of assurance increases as the perceived risk increases. This kind of architecture requires a well-integrated structure that enables sharing of information and orchestration of response.
The strategy is to use conditional access and private access agents for users and endpoints. This creates an encrypted, end-to-end connection, mimicking a VPN-like ‘bubble’ around our various digital properties and internal systems.
We extended internal servers and applications to our users via SASE (Secure Access Service Edge) Private Access, setting up our access restrictions such that only authorized endpoints could access systems and data. We use SASE tunnel ranges as well as security technology to ensure our endpoints are not only authorized NTT DATA devices, but they’re protected end-to-end by our SASE solution.
We did not, and still do not, provide our users with privileged access. We have adopted a catalog approach to installing applications, and our service desk uses a PAM (Privileged Access Management) solution to enable JIT (Just in Time) privilege access.
Our endpoints have their own identity and are managed, secured, and monitored via endpoint management solutions, OS (Operating System) and third-party application patch management, the SASE, as well as endpoint detection and response solutions.
Zero Trust isn’t simply about identity and access management from the perimeter: network security is still critical for providing defense in depth. To that end, we installed next-generation firewalls (NGFWs) to take advantage of device filtering, deep packet inspection, and other capabilities. And underpinning everything, of course, we continue to check our entire ecosystem. We make use of extensive vulnerability scanning to ensure all OS and application patches are installed and effective. Finally, all our security systems feed our SIEM (Security Information and Event Management) / UEBA solution to ensure real-time entity behavior analytics, anomalous activity identification, and automated workflows and case management to reduce time to respond.
As with any expedition of this scale, we’ve taken many lessons from our Zero Trust journey, many of which apply to any organization looking to follow our path.
There are some truly non-negotiable things with any Zero Trust program:
1. Executive sponsorship and buy-in: To weather the inevitable pushback that will come from across the business units when moving to Zero Trust, the executive team must be aligned from the start. You can’t start any journey unless you know where you’re headed, and making sure your executive team agrees on that destination is critical.
2. Hygienic Identity: To ensure you can accurately assess and assign each transaction, you need to have a known and trusted source of record.
3. Well-integrated technologies: Zero Trust needs a deep tech stack of security and business solutions working together with one another to send and receive the necessary security signals across various control points.
You need to ensure your people feel included and educated along the way and understand the reasons they are being asked to change behaviors. It’s not enough to simply tell them the ‘what,’ you need to give them a meaningful ‘why’ as well.
4. Clear communication with users: No matter how well-designed your Zero Trust roadmap is, your users will experience some changes. You need to ensure your people feel included and educated along the way and understand the reasons they are being asked to change behaviors. It’s not enough to simply tell them the ‘what,’ you need to give them a meaningful ‘why’ as well.
5. An abstraction layer: You do not want to be forced into a single (and therefore limited) tech stack, so you need the ability to add/remove/augment vendors as your security and business needs evolve.
In our experience, in practical application, missing any one of these things will lead to failure — or at least a compromised architecture. Beyond these critical factors, there are several “wish list” items that will make the journey much more comfortable and increase your chances of success:
“Designing security based on the risk of an individual transaction, rather than on a giant and often incomplete context, just makes sense,” says Steve Williams, Enterprise CISO (Chief Information Security Officer) for NTT DATA Services. “Unfortunately, it has largely remained an intellectual exercise. Vendors are more than happy to throw ‘Zero Trust’ around as marketing jargon, but most solutions have effectively no real capabilities or ability to help you develop a true ZTA (Zero Trust Architecture).”
It’s up to the security leaders of each organization to set up their own Zero Trust goals and needs, and to work with a provider that has experience in designing Zero Trust programs. Be honest and fearless in evaluating your own capabilities and those of prospective (and current) vendors. It’s not an easy journey, but it’s a trip well worth the effort. The world isn’t slowing down, nor is the evolution of the threats we all face. Zero Trust is not an end state: it’s just the next phase in doing everything we can to ensure our clients, our businesses, our users, and our critical data is as safe as it can possibly be.
Discover more inSecurity
In a hyperconnected world, cybersecurity is a vital part of protecting both corporate reputation and the safety of employees. While IT departments might be responsible for putting systems in place, it takes every employee from the C-suite down to ensure those systems remain intact.
16 August 2022 • 4min read
Does today’s need for cyber vigilance conflict with the move towards organisational intelligence and its need to share data? We believe the opposite is true – robust cybersecurity can be a powerful enabler of progress.
01 February 2022 • 3min read
Ignore digital trust at your peril. Customers are talking with their feet, cutting ties with brands that display poor data security. The essential ingredient, in this age of digitization and mass data collection, is unwaveringly strong cybersecurity.
20 July 2022 • 4min read
Education is not just a fundamental right for everyone: it’s also a pathway to a better quality of life, playing an instrumental role in attaining many of the UN’s Sustainable Development Goals. Through sharing skills such as cybersecurity, businesses can spread knowledge and help to shape more resilient, informed future global citizens.
01 September 2021 • 4min read
The different needs of cybersecurity continue to evolve, in the same way that businesses must adapt and respond to these cybersecurity risks and challenges. Partnerships are just one of the many ways in which businesses can protect themselves and move with the times.
20 June 2022 • 4min read
Creating effective cybersecurity systems is about so much more than understanding your vulnerabilities and putting measures in place to mitigate them. It begins with understanding what has made human beings feel safe in the past, and using those lessons and behaviors to build an electronic world they can trust.
15 August 2022 • 5min read
Strict ID checks become increasingly imperative in our rapidly evolving digital landscape, but sometimes they can be arduous. How can companies protect themselves and their customers from cyber risk while ensuring their processes are convenient, effective and user friendly?
22 June 2022 • 4min read
There are misconceptions around Zero Trust, as businesses may be fearful of a perceived need to completely rebuild their security architecture, but all it takes is a step-by-step approach. What is the journey to making the security of your business airtight?
20 June 2022 • 4min read
As our digital abilities become increasingly sophisticated, our cybersecurity measures develop at the same pace that a cybercriminal’s savviness also can. Businesses must continue to take the right measures to protect their futures with the developments of remote access and other digitization efforts.
22 June 2022 • 5min read
Whatever the trigger, significant technological and other business changes should never damage your customers’ trust in you. This means keeping their personal data safe. In fact, done well, data protection ought to increase confidence in your business. How to get there? It starts, as with many things, with a detailed understanding of the challenges and strong governance around the solutions.
20 June 2022 • 4min read
Companies that want to differentiate themselves will have to take a long, hard look at their practices around safeguarding customer data. Practices need to comply with the relevant laws, of course, but they also need to be rooted in ethics. Risk governance technologies make it easier than ever before for companies to be both compliant and ethical – and prove to customers they can be trusted.
20 July 2022 • 4min read
Covid has accelerated the trend towards “digitally-oriented” consumers. Companies in the media sector must be ready to seize the opportunities linked to this evolution, investing in key areas including security, data and blockchain. This will be crucial for companies in the media sector to survive in a hyper-competitive and fragmented market.
01 June 2021 • 4min read
In a world where skepticism and misinformation have now become the default, trust has become the new currency for business. And those companies that know how to spend it well can create a competitive advantage by making sure that their actions speak louder than words.
20 June 2022 • 7min read
Zero trust is a necessary evolution for businesses to be cyber secure in our digital modern landscape. To eliminate cyber risk and threats, businesses can implement a zero trust approach to protect data and systems every step of the way.
20 June 2022 • 3min read
New and evolving technology landscapes need evenly-matched cybersecurity: as new opportunities arise through digital tools, so too do new risks. Using a framework such as Zero Trust – which assumes every entity attempting to access the system or network may have malicious intent and therefore, as a default, should not be trusted – provides the visibility and controls needed for modern businesses to protect themselves and their customers.
19 July 2022 • 1min read