How security teams can build a strong IT partnership for zero trust implementation [Q&A]

As the enterprise IT landscape has become more complex, security is no longer a matter of simply securing the network perimeter. The cloud and remote workers now have to be part of the equation too.

In order to cope with this, more and more businesses are turning to the use of zero trust methodology. We spoke to James Carder, CSO of SIEM platform LogRhythm to find out more about why this is a technology whose time has come and how it can be implemented effectively.

BN: There are a few different ways zero trust is explained and interpreted. Can you give a brief overview?

JC: The term zero trust was coined by Forrester in 2010, but the model was not wholly supported until Google successfully built and implemented its form of zero trust, Beyond Corp, about six years later.

Essentially, instead of erecting many levels of security controls from the outside in, zero trust recommends safeguarding data from the inside out. It shifts the focus away from the numerous types of authentication and access controls, including the fallacy of single security perimeters, to tailored controls across sensitive data stores, applications and networks.

Zero trust shifts businesses away from all-encompassing corporate perimeters and breaks access down to identity types that are authenticated and authorized separately and as a part of a trust inference. Leveraging roles (user, system, application, data, network, etc.) that are separate with no inherent trust between them allows organizations to commission and decommission access on an individual basis. This micro-segmentation sits on top of a network architecture that leverages security monitoring and response and general protective/preventative controls, particularly at the device.

BN: Why is implementing zero trust so important now?

JC: In mid-May, the Biden administration issued an executive order that stated zero trust adoption would become a security requirement for all federal agencies. Zero trust is now a mandate for these agencies because, if implemented correctly, it is incredibly effective at preventing catastrophic breaches.

Now that the workforce is more distributed than ever, corporate perimeters with bolted-on compensating security controls are no longer an effective means of securing data and systems. The pre-pandemic perimeter and security controls are not likely to return. According to Gartner, 74 percent of CFOs plan to shift a portion of their employees to remote work permanently. That is why it is more important than ever for organizations across industries to move to a model comprised of a large number of so-called 'micro perimeters' at each identity type.

BN: Why is it essential to get buy-in from the IT team before implementing zero trust?

JC: Security teams need buy-in from IT before implementing zero trust because partnership with these individuals is essential to change the conventional IT infrastructure. IT generally manages infrastructure, systems, applications and data. Therefore, security teams need their help for an effective implementation of the model’s architectures and technologies. Security can't do it alone, and everyone must be on the same page in the understanding that legacy architecture is leaving the organization vulnerable. IT teams will likely be excited to be able to virtually eliminate the use of VPNs and minimize the corporate perimeter firewalls.

BN: What is the first step for implementation after buy-in from IT has been achieved?

JC: To start, security and IT should work together to develop a robust project plan and roadmap. This should include a timeline of key initiatives and priorities tailored to meet the needs of the size, complexity, and maturity of the business. Not all IT teams are experts in deploying zero trust, which is why this is also an important time to identify potential third-party vendors to assist.

BN: How does implementing zero trust benefit IT teams?

JC: Implementing a zero trust model establishes procedure efficiencies that will benefit IT teams by making their jobs easier long-term. Several examples should be communicated to the IT team to secure their buy in, including:

• Decreasing risk: Security and IT teams share the goal of protecting the company. Reducing risk is an obvious benefit, but there are several considerations to consider specifically related to IT teams, such as the time, money, and resources needed to mitigate a breach after it occurs.
• Efficiency via automation: A critical piece of zero trust implementation is harnessing the tools and technologies that empower the organization to enhance and control the infrastructure. If appropriately implemented, it will lead to an immense productivity increase for the IT team, including user onboarding, streamlining rules and responsibilities, removing unnecessary admin rights and privileges, and more.
• Reducing dependencies and maintenance costs: Decreasing dependencies, maintenance costs, and licensing on software such as VPNs and corporate perimeter firewalls can help support the cost of more efficient tools that will enhance IT functions. CIOs are frequently evaluated on process efficiency and standardization that decreases total cost for the enterprise. When employing elements of zero trust, there will be a need to invest upfront in certain technology components prior to shutting down obsolete legacy infrastructure. However, it is important to demonstrate the potential to cut overall costs and facilitate revenue growth for the future.

Image credit: Olivier26/depositphotos.com