Adoption of zero trust practices and technologies has steadily increased; 49% of security leaders say their organizations have implemented zero trust solutions, up from 24% in 2019, according to Foundry’s 2022 Security Priorities Study.
However, many IT environments have changed since 2019, with the rise in adoption of cloud and edge computing. These expanding environments require a fresh look at zero trust plans.
What are the key considerations for zero trust adoption across the entire organization, from edge to cloud? We posed that question to the CIO Experts Network, a community of IT professionals and technology industry influencers. Here are their recommendations.
Get trust to develop trust
Damaging cyberattacks and data breaches have pushed organizations to prioritize tighter IT security. Zero trust takes that objective to a ground-zero philosophy: Trust no one.
“Organizations have traditionally considered employees or contractors as within the circle of trust, despite the fact that insider threats are some of the largest risks,” said Tennisha Martin (misstennisha), executive director and chairwoman at BlackGirlsHack.
Especially in an edge-to-cloud world where IT boundaries have blurred, zero trust requires “an organizational transformation and making no assumptions of trust about who is connecting to the network and what their intentions are,” Martin added.
But before developing a zero trust strategy, check your intentions, said Ben Rothke (@benrothke), senior information security manager at Tapad.
“If someone told me they wanted to deploy a zero trust architecture in their enterprise, I’d ask them to give me a technical overview of zero trust, and then ask what security problems they expect a zero trust architecture to solve,” Rothke said. “Any CxO who can’t articulately elucidate these two things is buying hype, not a security solution.”
Next, get senior executives on board, say the experts:
“Zero trust needs a top-down, cross-functional approach or it will most likely stall in certain lines of business. Executives need to align on the strategy and roadmap as it is a journey, not an overnight project.” — George Gerchow (@georgegerchow), CSO and SVP of IT, Sumo Logic
“The only meaningful consideration of zero trust adoption is when the board and CEO are willing to trust and partner with the CISO to effectively mitigate business risks. A recent Gartner study found that a CISO who can effectively tie business outcomes to a material reduction in business risk through practical implementation of zero trust controls will make security an asset for their organization that enables them to compete more effectively.” — Kayne McGladrey (@kaynemcgladrey), field CISO, Hyperproof
Prepare for change
Once senior leadership is aligned, get the rest of the organization onboard and prep everyone for cultural change.
For example, the vast uptake in remote work and expanded use of cloud services have altered employees’ experiences and expectations. Zero trust may change user behaviors around activities associated with working remotely or accessing cloud applications, say the experts:
“Your organization will need to understand, monitor, and approve users and devices to ensure they are authorized to carry out what they are doing. The growth of shadow IT and users’ ability to consume software via the cloud will require the IT department to have strong policies in place and be able to audit regularly. The knock-on effect on the end user is the experience. You will need to consider the impact on their daily tasks.” — Alex Farr (@AlexFarr_IT), chief technology officer at Christie Group
“Zero trust is a cultural ‘180’ from times when developers had system root access and end users had permissions to all files because it was easy to implement and caused less friction. Once people understand why zero trust is critical today, then IT and security leaders are one step closer to securing apps, data, and identity from edge to cloud.” — Isaac Sacolick (@nyike), president of StarCIO and author of Digital Trailblazer
There are valuable benefits to be gained from preparing for change, said Scott Schober (@ScottBVS), president/CEO at Berkeley Varitronics Systems, Inc. “If everyone in the organization understands the security risks and the need for zero trust tools, organizations can maintain secure networks while maximizing productivity.”
Strategize the zero trust journey to the edge and cloud
As Gerchow at Sumo Logic said, zero trust adoption from edge to cloud is not a one-and-done project. It’s not even the same strategy for every organization. That’s why you need to map it out.
Zero trust approaches typically include a thorough risk assessment, identity and access management (IAM) policies, network segmentation, and security analytics. Many organizations get the process started with identification and classification of assets, and multi-factor authentication (MFA) implementations.
Specifically for edge to cloud implementations, make sure you have the right “tools and protocols that can work seamlessly through the cloud, on-site, and even in hybrid environments,” said Schober. “This ensures continuous monitoring and analysis of all security events and potential threats.”
Other experts agreed and added other capabilities that address edge and cloud environments:
“Begin with a solid IAM strategy, secure access service edge (SASE), and centralized logging for visibility across siloed data sources.” — Gerchow
“Automation of tasks such as security policies, provisioning/de-provisioning of access, and incident response should be at the top of your zero trust considerations. Cloud security is another one, because you must extend zero trust to all cloud environments under your management. Organizations building zero trust must implement encryption, access control, and data loss prevention to secure their cloud applications and data.” — Will Kelly (@willkelly), freelance writer focused on the cloud and DevOps
“Zero trust means verifying every remote transaction request from users and systems alike. While there are many zero trust implementations that use artificial intelligence and other analysis methods to verify users, there is much less focus on verifying remote systems. As we move to more edge computing environments — like autonomous vehicles, smart cities, healthcare, IoT, etc. — they present a potential clear and present danger to the overall computing environment.” — Jack Gold (@jckgld), president and principal analyst at J. Gold Associates, LLC.
Test, train, and include safeguards
Finally, all these strategies require “testing, training, and security-access safeguards to ensure successful securing of clients from edge to cloud,” said Adam Stein (@apstein2), principal at APS Marketing.
“Testing ensures that the compliance and integration goals the team has are, in fact, achieved before full production deployment,” Stein said. “Training of both IT team and end users should include simple-to-follow visual guides. And strong identity-based access controls should include MFA, enhanced device visibility, and SASE-/SD-WAN- powered segmentation.”
For more information, visit https://www.hpe.com/us/en/solutions/security.html