Johannesburg, 02 Sep 2021
Zero trust is not a new concept, but a fast-changing environment is making a formalised zero trust framework critical for mitigating risk in businesses today. Threats are increasing, the traditional perimeters have fallen, and 5G, IOT and software-defined networks have changed the landscape. CISOs are increasingly aware of the need to adopt a zero trust approach, and many have implemented components of a zero trust model. However, many find their progress towards a full zero trust model hampered by budget constraints.
This is typically because business – while cognisant of the need to mitigate risk – does not always understand the value of each component within a zero risk model.
The most effective way to secure security budget allocations is to do so within a formalised zero trust framework that presents quantifiable risk, ROI and business value. At IBM’s Security Services practice, which has invested heavily in models and toolkits to help IT security answer the tough questions from the board, we find that local CISOs are thrilled to be able to quantify risk at last. At the same time, boards pay attention when you’re speaking their language, translating spend into a measurable risk mitigation value.
The real value of zero trust
IBM recently published the annual Cost of a Data Breach Report 2021, for the first time including the benefits of a zero trust approach in mitigating costs. Whereas the data breach costs hit a record high, increasing to an average of $4.24 million (South Africa: $3.21 million), breaches at organisations with mature zero trust deployments were $1.76 million less than those without zero trust. In time, it can be expected that this gap will grow, with rising costs of a data breach offset even more via zero trust adoption.
The concept of zero trust (ZT) was founded by Forrester alum John Kindervag in 2009 and centres on the belief that trust is a vulnerability and security must be designed with the strategy: “Never trust, always verify.” Being around for more than a decade, ZT is certainly not a new concept; however, with changes in the way we work – from centralised content-driven (assumed trust) to distributed workload-driven (trust but verify), and ultimately pervasive speed-driven ‘any-to-any’ connections (zero trust) – the value of ZT has become fundamental to the realisation of a modern security architecture.
Defining zero trust
Naturally, context is essential in any ZT discussion, and at IBM Security Services, we frame ZT simply as: Enabling the right user, under the right conditions, to have the right access to the right data. Importantly, this is not a topic centring on security products or projects. Our ZT governance model draws on security best practices and turns a philosophy into action by:
Plotted against this model are a series of use-cases that have been developed. This includes high priority scenarios, for example, preserving customer privacy; securing the remote workforce; protecting the hybrid cloud; and reducing the risk of insider threat. The ZT governance model and use cases enable a maturity assessment of the current IT landscape (including OT and cloud), identification of gaps and possible initiatives, and an overall ZT improvement roadmap.
To illustrate this approach, consider the use-case in which users across multiple locations require access to the enterprise hybrid cloud. This remote access requirement is a challenge that faced many organisations during lockdown, when their objectives included improving the access experience for employees, be they mobile users ‘out in the wild’, from a remote corporate location, or internal to HQ. Typically, there is little to no integration between security products besides security monitoring and access to data typically only based on an ACL in the application.
Software-defined perimeter solutions combine a number of security controls (network, IAM, endpoint) to make informed access decisions (authenticate first). Still more should be done to move towards continuous access decisions (integration with SIEM) and moving controls closer to the data:
- The (define) context shifts from a trust defined per zone, to a micro-segmented network with integrated access decisions.
- Verification and enforcement incorporate MFA with biometrics.
- The incident resolution matures to SIEM with automated response.
Formalising the zero trust framework
Most organisations are at different stages in their ZT planning and implementation. Some need to implement a ZT strategy and need help getting started; some are implementing a ZT strategy and are looking for a specific solution; and others are looking to fulfil a specific capability requirement.
Our approach to formalising a zero trust framework starts with establishing the organisation’s ZT objectives; reviewing applicable regulations, policies and business initiatives; reviewing the current risk register; selecting the appropriate use-cases; and then applying the IBM ZT governance model. This is followed by our acceleration services, which takes eight to 10 weeks and aligns the ZT strategy approach with business and security objectives; assesses current state, determines future maturity and prioritises gaps based on ROI; and builds a detailed roadmap and investment plan. The final phase covers the ZT solution implementation, including full life cycle ZT transformation (assessment, design, build and run steady-state support services).
Further information on ZT strategy, implementation and customer references can be found on the IBM Security website. [3]
To hear more on the cost of a data breach study specific to SA and engage with our experts, attend the Zero Trust Security Forum on 16 September.
https://events.bizzabo.com/352286
References
- https://www.ibm.com/security/data-breach
- https://go.forrester.com/blogs/a-look-back-at-zero-trust-never-trust-always-verify/
- https://www.ibm.com/security/zero-trust
Share