Organizations should press forward more urgently on adopting Zero Trust because traditional approaches to cybersecurity aren’t working anymore. It’s no longer enough to protect the perimeter, said Chris Ruetz, AVP and Country Manager for CyberArk, at a CanadianCIO Virtual Roundtable. “Perimeters are falling down now due to remote work and the cloud,” he said. “Identity is the new perimeter.”
Zero Trust is a strategy based on the idea that the identity of anyone (or anything) trying to connect to an organization’s systems must be verified to gain access, whether or not they are already inside the network.
However, many organizations are struggling to make this shift. “You’d be surprised at the number of organizations running manual identity management processes,” said James Toomey, Country Manager – Canada for SailPoint. It was clear from the discussion that this is not a sustainable way to prevent data breaches.
What does Zero Trust really mean?
“Zero Trust is not a product,” said Ian Gritter, Manager, Sales Engineering at SailPoint. “It’s a desire to prove that every step along the way has the appropriate security.” This means placing identity at the centre of the security architecture and truly understanding who should have access to what and how that access is used, he said. “Identity is the currency for validation,” said Gritter. “You need to prove you are who you say you are.”
Fundamentally, organizations should be seeking to prevent credential theft, stop lateral movement within the network, and limit escalation and damage from attacks, explained Ruetz.
The situation becomes more complex with cloud, said Gritter. Security problems arise when applications that weren’t originally architected for the cloud are moved there, he said. As well, it becomes difficult to rely on manual processes to track access when applications can be spun up or down so rapidly in the cloud.
Where to begin with Zero Trust
Implementing Zero Trust does not mean that organizations have to scrap their existing infrastructures, Toomey reassured participants. It can be adopted as a phased approach over time. “The first step is to define the business outcomes you want to achieve,” he said. “Look at your inventory of technology and leverage against that. Put a plan in place and stick to it. Too often, organizations get distracted and make changes, which introduces more risks.”
To begin, organizations can use assessment tools to scan their environments to identify existing risks related to privileged access, Toomey said. Their security partners can also provide guidance to help identify the highest priority applications to protect.
From there, a mix of technologies such as multi-factor authentication, identity and access management, privileged access and network segmentation can provide defence-in-depth, said Ruetz. Organizations need to establish the rules and policies for who can access which systems. It takes continuous multi-step authentication to defend important assets against cyber attacks.
Behavioural analytics and AI can help understand unusual patterns and to automate the process, Ruetz said. “Where we’re going is not just automating processes,” added Gritter. “With AI and machine learning, we need to get to a point where it is autonomous or we will never keep up.”