“You’re sold on the idea of zero trust. Now you need to implement it,” was the overarching theme of a star-studded panel discussion session titled 'Best Policy: A Guide to Implementing Zero Trust and Reducing Overall Risk' on day one of this year’s Cloud and Cyber Security Expo in Excel, London.
Tim Holman, chief executive officer of 2|SEC Consulting, introduced the session by instructing the audience, “this session is aimed at any organization at the beginning of its zero trust journey and will guide how you can gain greater control and visibility over your networks, reducing overall risk.”
Joining Holman was Milad Aslaner (senior director, cyber defense strategy at SentinelOne), Martin Ingram (product owner, identity and access management at Natwest Group) and Mark Osborne (chief information security officer at Jaja Finance).
Preempting the issue surrounding the term ‘zero trust,’ Holman’s opening question to the panel was, “what does zero trust mean to you, and do we need it?”
Osborne was first to throw down the gauntlet, ruing zero trust as a “marketing invention” even if there are valuable things within a zero trust architecture “including authentication, authorization and secure connections.” Osborne also stressed that the term is relatively old: “it’s something we’ve been doing for many years since the cybersecurity industry started, but we are doing it better now.”
Ingram echoed Osborne’s points but quizzed the audience, “I wonder how many of you would have a similar definition of ‘zero trust’ as the person sitting next to you. I agree with Mark that zero trust has become a buzzword.” Even if zero trust might mean various things, Ingram stressed that “we are living in a sea of data – it would be daft not to consider whether employees will be using that data appropriately. This explains why we need zero trust.”
Aslaner affirmed that zero trust is “nothing new, but now it can be pitched to the board and the public.” Drawing attention to the Biden Administration’s emphasis on zero trust, such as Joe Biden’s executive order 14026 in May of last year, “businesses realized that they’ve got to implement zero trust frameworks.”
Holman then took the discussion up a notch by asking, “Given the sheer scale of attacks in businesses with zero trust, why are businesses getting zero trust wrong?”
Osborne replied first, emphasizing that businesses “are supposed to be doing it.” He went on to distinguish data protection from securing the data: “zero trust should make organizations think they are next-gen. I have a console to control all security controls. That is the best way to secure data. Single-sign on for everyone, MFA for everyone, etc.”
Ingram concurred with Osborne, reminding the audience that security is all about risk: “we are trying to mitigate risk.” Yet, it’s vital to recognize where imperfections exist. “Zero trust is the next stage of access mitigation, and hopefully, it will prevent further risks.” Despite these points, however, Ingram recognized that zero trust isn’t a silver bullet: “Social engineering attacks, for example, are proving to be an effective way for attackers to get around zero trust.”
Aslaner drew attention to zero trust migration being a multi-year journey. “People are looking for a single button and ‘now I have zero trust.’ Instead, we have to think what zero trust means for the entire organization and the benefits and build a multi-year plan to move to a zero trust model.”
In a similar vein as the previous question, the final question posed by Holman was, “when we test organizations, pen testers always seem to get in. That suggests zero trust isn’t working. So how and why are organizations getting it wrong?”
Osborne remarked that many of us get into a position of comfort, including those on the board. “Zero trust helps me look like less of an idiot,” stated Osborne, “it tells me how many privileged groups have access to our vault. It enables me to introduce identity access management.”
Aslaner pointed out that “the challenge is that we think in terms of checklists – ‘you need to have anti-virus, firewall, etc.’ Yet, this doesn’t show how these things should be implemented.” Aslaner’s central point is that maturity levels do not necessarily increase alongside the number of ticks: “Unfortunately, something bad has to happen for organizations to realize that, for example, anti-virus isn’t enough.” Inadequately defining architecture opponents means “threats will continue to occur.”
Ingram gave the concluding remark, drawing attention to the importance of retrospective learning: “the key is to learn how we went wrong. Zero trust provides a policy to do that, providing us with learning for effective prevention. It can stop things from happening again.”