What We Learned Defining Successful Zero Trust Client Journeys

May 5, 2020
| |
4 min read

How and where we work has changed dramatically, and this year, organizations are operating in a new normal. Fortunately, the hybrid multicloud environment has offered us an opportunity to rapidly pivot, allowing the workforce, customers and partners to access organizational resources and data wherever they are, whenever they need them.

While this change can afford remote access, it requires solid security strategy, governance and risk planning to protect key resources and the privacy of our users. It’s not as simple as securing the perimeter with a castle-and-moat defense. A hybrid multicloud environment can bring more complexity and a porous attack surface. Security teams need to consider new offensive and defensive strategies in today’s threat landscape.

Threat actors target the expanded attack surfaces created by distributed security environments. Organizations now face insider threats, attacks on employee-owned devices, targeted phishing schemes, destructive malware and stolen credentials from employees, admins, and third-party vendors and customers. And this is just the tip of the iceberg. The security threat landscape is broader and more complex than ever before.

As a result, many organizations are looking to apply principles of least privilege or deny-by-default policies like Zero Trust. This method aims to enable only the right users under the right conditions to have the right access to the right data. While it may seem like you’re putting resources on lockdown, successful implementation of Zero Trust can actually help bring context and insight into a rapidly evolving attack surface and improve the experience of your users.

Why Is It So Challenging to Execute Zero Trust?

Zero Trust as a security practice has been around for nearly a decade but is currently gaining popularity as many security and risk leaders realize that current strategies need to evolve with the changing security landscape.

Zero Trust as a security practice originated with network systems and infrastructure practices and evolved to broad, continuous verification of access across data, people, systems and applications. What makes Zero Trust so challenging is the confluence of implementing the right deny-by-default policies and integration across multiple domains while ensuring business operations are minimally impacted. It’s a delicate balance and one requiring a thoughtful vision, strategy and implementation.

We often hear that clients want to implement Zero Trust but they either don’t know where to start due to its complexity, or don’t know how to prioritize and balance existing initiatives while developing a long-term Zero Trust strategy and vision. This anecdotal evidence is backed up by a recent Zero Trust adoption research report by Cybersecurity Insiders that found 78 percent of security organizations surveyed are looking to embrace a Zero Trust security strategy, yet 47 percent of enterprise IT security teams lack the confidence to implement Zero Trust with their current security technology. So, where and how does a security team get started?

Building a Zero Trust Governance Model

A Zero Trust governance model can help prioritize the security principles that must be put in place across the security domains to achieve the objectives of Zero Trust. With this, it becomes easier to understand gaps and plan actions that will have a measurable impact on security.

Here at IBM Security, we believe that there are four core tenets or principles of a functional Zero Trust governance model:

  1. Define Context — Discover and classify resources based on risk. Coordinate actions across the ecosystem for consistency and context.
  2. Verify and Enforce — Protect the organization by quickly and consistently validating, enforcing and implementing Zero Trust policies and controls.
  3. Rapid Response — Resolve and remediate security incidents with minimal impact to the business by taking targeted actions based on context.
  4. Analyze and Improve — Continually improve security posture by adjusting policies and practices to make faster, more informed decisions to help tighten security around each resource.

Governance and Zero Trust go hand in hand. Get your Zero Trust governance strategy right, and you can be well on your way to implementing Zero Trust the right way. It’s worth noting that Zero Trust can also require an organizational culture shift in order to successfully implement. Finally, be sure to take the needs of both your users and stakeholders into account when implementing any security solution.

Making Zero Trust Actionable With an Enterprise Use Case

Once you’ve fully developed your Zero Trust governance model, you can apply it to a specific use case scenario. We believe this approach makes Zero Trust achievable and can help improve maturity across multiple security domains in a targeted way. You also won’t be trying to do everything at once but can still see measurable progress toward maturity. Consider the following example scenarios and how this might cut across security domains in your organization:

Source: IBM Security

A use case scenario approach is not solving a problem in one security domain but rather potentially solving a group of problems and aligning directly to business and IT objectives and priorities. Following this method, your organization can look at challenges that span data, users, workloads, networking, security orchestration, automation and response — the major elements defined by Forrester’s Zero Trust extended ecosystem and similar models.

Starting Your Zero Trust Maturity Journey

If you’re unsure how to get started or need help maturing existing capabilities, consider the guidance and support of a security services provider like IBM Security. One place to start might be a Zero Trust assessment designed to help your organization identify security gaps that need to be addressed to help mature capabilities. We can help you select the right use case scenario to apply Zero Trust principles and assess your readiness across your various security domains.

Next, your organization or a security services partner can create a prioritized roadmap to mature Zero Trust security controls in a way that aligns with your company’s unique security, industry compliance and budgetary requirements.

Work on building your Zero Trust strategy with the help of IBM Security Services professionals. Our team is standing by to answer your most pressing Zero Trust questions.

Learn more about the importance of Zero Trust security for your business at Think Digital.

Visit Think Digital Now
David Langlands
Partner, IBM Security Services

David Langlands is a Partner and Global Leader in the IBM Security Services business unit, responsible for overseeing Infrastructure and Endpoint Security an...
read more