Why Gaining Buy-In Across the Organization Sets the Foundation for an Intelligent Identity Perimeter
In our recent article series on Zero Trust Identity, we talked about how Zero Trust is fundamentally changing the way forward-thinking business and security leaders are making decisions about risk. We’ve discussed why a Zero Trust approach is essential for securing today’s cloud-first, geographically distributed digital businesses in the face of a dynamic threat landscape. We’ve outlined the essential building blocks for implementing a Zero Trust Identity architecture in the real world. And we’ve sketched out the most important elements of a strategic roadmap that will move you towards Zero Trust Identity over the longer term.
This is the third article in the series. Here, we’ll dig deeper into the organizational habits and ways of thinking that are needed for successful Zero Trust adoption. Shifting mindsets — among security practitioners and business leaders alike — is vital. It may be much more difficult to accomplish than simply buying and deploying new tools, but it’s even more important.
In today’s data-dependent, digital-first world, every company is a technology company. Even if your business doesn’t create or sell digital products, technology is at the core of most modern business processes. Whether you’re thinking about HR, accounting, or sales, you’ll realize that stakeholders from every business unit and department of your company must have seamless and reliable access to the right technology tools at the right time if they’re to get their jobs done. And of course, this is essential for the success of the business as a whole.
Nowadays, only a small percentage of enterprise IT assets reside within heavily-fortified internal networks. Most are instead dispersed across multiple clouds and physical locations all over the world, and identity has become the new perimeter where security defenses must be focused. Still, some security programs continue to rely on VPNs, take set-it-and-forget-it approaches to granting access, or assume that all internal identities are safe. The underlying assumptions behind such approaches reflect outdated ways of thinking. In today’s world, they must be changed.
Adopting a Zero Trust mindset enables security teams to better defend complex and dynamic computing environments. But it also provides more seamless, just-in-time access to the resources needed for productivity, innovation, and business success. When an organization embraces Zero Trust, it should adopt technologies, ways of working, and policies that support business agility while enhancing security. But in order to achieve this end, business leaders, security practitioners, and stakeholders across the organization will need to work together in support of shared objectives.
When IT resources no longer live only inside the data center, when people no longer work only in the office, and when sensitive data is generated by every part of the business, security can no longer be the sole purview of the security team. Instead, security must become an integral part of the company culture — something that every employee understands and contributes to.
Cultivating a Zero Trust Mindset
It’s often said that the most effective approaches to IT security are grounded in a multi-layered model encompassing people, processes, and technology. Zero Trust is no exception. Moving towards Zero Trust requires investing in the right technologies and designing an architecture that can extend robust security across an IT ecosystem that extends far beyond the “trusted internal zone” of a corporate network, of course. But it also requires that people:
- take information security seriously
- understand the foundational concepts within the Zero Trust approach
- know where sensitive and confidential data resides and how to handle it
- contribute to building stronger policies and a more cyber resilient organization
- establish policies about which security policies should be applied, and follow them consistently
Cultivating a Zero Trust approach requires buy-in from executive leadership all the way down to identity and security practitioners. Members of the board and CISOs alike must believe that a Zero Trust approach is something they can rely on to foster business agility, improve data protection, and mitigate real-world risks. And they must be willing to implement (and participate in) the policies and operational processes that support this approach. Otherwise, people will be the weakest link in your organization’s defenses.
People are creatures of habit; they can be resistant to change. When a team has been doing something the same way for a long time, it can be difficult to convince them of the necessity of doing it differently. Often, we see this at play when it comes to granting access to applications or granting privileged access to IT resources. When the usual process is to create accounts that have longstanding or open-ended access, this access tends to accumulate over time. The result is that the company’s attack surface will continue to grow.
Moving to Zero Trust involves implementing tools that support just-in-time privilege elevation and time-bound access. But it also involves large-scale cultural change that starts at the top. The Zero Trust mindset needs to be company-wide. Adoption should involve everyone, not just the security team. Stakeholders across the organization must understand why adopting this approach will reduce risks and support productivity. Zero Trust adoption should incorporate training in how to design precise access dynamically that enables employees to access everything they need to get their jobs done — and nothing more.
Mythbusting: What Zero Trust Isn’t
Clear and consistent communication with employees and stakeholders across the business is an essential part of Zero Trust adoption. If you’re to achieve universal buy-in, you need to ensure that everyone understands exactly what Zero Trust is — as well as what it isn’t. In a world where misinformation and misconceptions abound, it’s key to explain how and why Zero Trust represents the most effective approach to information security for today’s dynamic and distributed IT ecosystems.
Here are some common misconceptions that are important to address:
- Zero Trust is nothing more than a new way for vendors to talk about the same old products. Today, Zero Trust is the model that all Federal Agencies must adhere to when designing security architectures for their cloud-based and hybrid computing environments. It’s been defined by reputable, vendor-agnostic cross-industry authorities, including the National Institute of Standards and Technology (NIST), which has published a reference architecture that supplies a roadmap for deploying Zero Trust security within enterprise environments. Zero Trust is now well defined, and it’s possible for any organization to move closer to this ideal.
- Zero Trust gives employees the impression that they’re not trusted. Trust is part of human nature, and people are inclined to help others and provide them with the information they need to get their jobs done. In fact, Zero Trust supports this, though it ensures that data access takes place on a need-to-know basis, where information is shared only after verifying the appropriateness of the access request. Just because there’s no assumed or implied trust doesn’t mean there’s no trust. Instead, there’s explicitly justified and appropriately granted trust. Also, access is continually validated to ensure that it remains appropriate throughout the session and the whole of an identity’s lifecycle.
- Zero Trust is too difficult or impractical to implement in the real world. Zero Trust adoption is a journey, not a destination. Successful adoption requires you to take the right strategy as you progress along the journey. The Zero Trust journey includes multiple components, ranging from security awareness training to multiple layers within a defense-in-depth approach that’s grounded in the understanding that identity is the new perimeter. Whenever you grant access to a resource, you incur some degree of risk. Zero Trust doesn’t eliminate this risk, but it does involve the continuous improvement of security processes so as to mitigate it. Improving your ability to monitor assets and access usage in order to eliminate unnecessary access rights can be done gradually and incrementally.
The benefits of adopting Zero Trust go far beyond security. When your organization takes this approach, you’ll discover that you have better visibility into your IT assets and resources — and how they’re being used — increased productivity, and an easier time meeting compliance requirements. However, the efforts required to attain these benefits are also far-reaching. You’ll need to grow organization-wide awareness of the importance of resilience and risk reduction, which can involve education and training as well as extensive communication.