Christian Koch
Senior Vice President Cybersecurity and Lead for IoT/OT NTT DATA DACH
More from this contributorThe issue of zero trust often appears after the introduction of various cloud applications. In some cases, we also have customers where the CIO or CISO gets questions from the board about cybersecurity, data protection and the risks for the company. They are then asked specifically about their own IT strategy for zero trust.
The question arises of how to ensure secure access for a distributed environment. Zero trust architecture means that everyone who wants to access data, applications and systems in the cloud and the corporate network is treated in such a way as if they were an untrustworthy outsider.
Whenever data migrates to the cloud – whether Microsoft, AWS or Google – and cybersecurity awareness increases as a result of incidents in the press, at partner companies or even in your own company, the question arises of how to ensure secure access for a distributed environment. Then it says: we want maximum security, ideally a zero trust architecture. That means that everyone who wants to access data, applications and systems in the cloud and the corporate network is treated in such a way as if they were an untrustworthy outsider.
From now on there is no longer a leap of faith for employees. What does that mean in practice?
Better security, faster
The good news for you is, in the first step, zero trust does not require you to completely rebuild the entire network and cloud infrastructure, nor to carry out micro-segmentation down to the last small segment. Likewise, new hardware for the entire network does not have to be purchased immediately. And no, there is no need for an assessment of the entire infrastructure in all parts of the company either – unless you want to introduce zero trust according to textbooks, which means that nothing happens for at least a year. By “nothing” I mean: this year your data will not be a millimeter more secure. That’s why we at NTT DATA are tackling the issue pragmatically so that our customers can quickly benefit from more security.
With Zero Trust you can start immediately
So that we don’t misunderstand each other, of course, before every zero trust project, we take stock. Which technologies are in use? Which cloud-based applications? What is the status of authentication? However, instead of examining all aspects of Zero Trust – identities, end devices, applications, network, infrastructure and data – we build on the basis of Zero Trust, namely the existing identity management with rights, roles, organizational units and suitable strong authentication processes for the users. This forms the basis for Zero Trust.
With a solution-oriented approach, you have more data security with every measure.
The second step is then to identify applications and systems that can be easily optimized in the direction of Zero Trust. These mostly include cloud applications, where the microservices can be segmented with relatively simple means, connected to the identity management via a ‘conditional access engine’ and the data can be secured within the application. With this solution-oriented approach, you have a bit more data security with every measure. In good business terms, with our customers, we are getting more and more Zero Trust, quick win for quick win.
As I said, the first thing we do is focus on our customer’s existing identity management. Experience shows that people often think in black and white, i.e. either no access at all or full data access. This rarely helps data security and data protection. Here it is important to raise barriers according to defined roles and access authorizations and requirements and thus to implement secure, always traceable ‘limited access’.
Securing all data access
To anyone who is now wondering whether it might not be better to convert the entire infrastructure to Zero Trust right away, I would like to answer the following:
If employees access the company’s cloud services from home, then they don’t have any infrastructure operated by you in between. A highly secure company IT structure does not protect the data from access from mobile devices – whether it is on the desk at home, in the ICE on-board restaurant or in the lecture room of a hotel.
A Zero Trust network concept is certainly important and should not be neglected, but it is not the first priority for the project start. Usually there are also dependencies on the hardware or software used and it has turned out to be easier to focus on these topics based on Zero Trust concepts when replacing hardware or software after maintenance has expired. That’s why I advise you: start Zero Trust with identity management and applications where the implementation does not require a complete redesign. For an initial, professional overview, we recommend our Strategic Guide to Zero Trust.
