Phil Packman, CISO, Commercial Contracts, BT, discusses how organisations can thrive by adopting a zero trust approach to security.
As the reach of IT extends to every aspect of our modern business lives, CIOs and CISOs are increasingly uniting to defend their organisations.
IT security has shot up the list of priorities for most business leaders, making security threats a significant consideration in many board-level risk models. We know that attackers are constantly looking for weaknesses to exploit – and with cloud and hosted services, these gaps can lie outside your perimeter.
Couple this complexity with the vast attack vectors presented by the Internet and hyper-connectivity, and the security challenge expands further. So, in the face of this reduced visibility and control, how do the CIO and CISO manage IT security risks whilst making the most of the transformative possibilities of IT?
Boosting IT security with a zero-trust environment
Increasingly, organisations are taking a zero-trust approach, focusing on where the gaps are and how people might exploit them. In a zero-trust environment you assume that all application access is potentially malicious or undesirable. Instead of trying to police all the borders and paths across your network, you create islands of applications and data that you can protect in a much more focused way.
Zero-trust uses far more attributes to control access than standard strategies, going beyond simple criteria such as source IP address or username. Do you know who is accessing your data? What applications do they want to use and when do they want to access them? How do they want to connect to the applications? Where are they coming from?
A zero-trust mindset means you can segment and control applications in a way that provides only the functionality that’s needed, efficiently and securely.
Start small for low-risk learning
For most large organisations, the move to zero-trust needs to be a multi-phase, multi-year project that reaches beyond the remit of the IT department. A thorough understanding of applications and data flows is essential, as is a solid identity strategy. All of this must be set in the context of the business outcomes required from specific applications and who needs what level of access to them.
We advise starting small when it comes to adopting a zero-trust approach. Too often, large, established organisations begin with a substantial and complex application, then struggle to achieve the necessary level of visibility around how it’s used. By starting with a smaller, less complex application or a well-known and understood service, you can learn in a way that doesn’t impact the business but still provides repeatable and reusable controls and experience.
Migrating email to Microsoft Office 365 is an example of a strong starting point. A major public sector client successfully began implementing a zero-trust model in this way – taking a discreet application (email) and migrating it to a segmented island in the cloud. We worked with partners to provide the necessary communication, monitoring and visibility to deal with employees’ personal access devices and the infrastructure they used that sat outside the infrastructure controlled by the organisation.
CIO and CISO collaboration is essential to zero-trust success
The zero-trust approach to enterprise architecture requires ongoing effort from both the CIO and CISO departments. By working together to create a more effective, strategic and focused approach, they can minimise data breaches and improve the organisation’s ability to contain and defend against cyberthreats.
Click below to share this article
