“Zero Trust, along with micro-segmentation, is becoming highly recognized as a strong defense against cyber threats as it limits the spread of any infection that does get through,” says Trevor Dearing, EMEA Director of Technology, Illumio, in an exclusive interview with ITSecurityWire.
ITSW Bureau: With cyber-attacks continuing to evolve, what challenges do you anticipate lie in front of CISOs?
Trevor Dearing: As technology constantly evolves and matures, so do the cyber threats and cybercriminals targeting that technology. The threat on everyone’s lips at the moment, and the one that is gaining mainstream coverage, is, of course, ransomware.
Nevertheless, in the UK specifically, businesses are also in the midst of new hybrid working practices as we exit the pandemic; cloud investments have soared; and many organizations have reached a digital tipping point, which has changed the way they will do business moving forwards. These changes are altering the threat landscape – with CISOs having to navigate expanding IT infrastructure including cloud, new applications broadening the corporate attack surface, coupled with remote workforces and widespread supply chains.
A further challenge is trying to get cyber security to be adopted as an organization-wide concern. CISOs are frequently faced with the challenge of communicating their cyber security strategies and issues to the Board in a way that resonates with them and is positioned within the context of the wider business.
ITSW Bureau: Why are enterprises unable to implement zero-trust architecture into their cybersecurity infrastructure? What steps can they take to address this?
Trevor Dearing: There are a few common misconceptions about Zero Trust that means some enterprises may be falsely under the impression that they can’t implement it into their business. In fact, Illumio’s research found that 29% of respondents said they have legacy systems that can’t be upgraded, and a further 19% feel they don’t have the resources in place to fully complete the project.
The truth, however, is that any enterprise has the ability to implement Zero Trust into its cyber security strategy. Zero Trust isn’t achieved through the use of one solution or type of technology, it’s an approach which adopts the mindset of “never trust, always verify” to prevent the spread of breaches.
What’s more, Zero Trust is not “achieved” all at once. Organizations can start small, introducing Zero Trust processes incrementally and working their way up based on the resources and budget they have available.
To get started, I always recommend focusing on gaining visibility into your environments and how different components connect and communicate. Once that’s sorted, organizations are able to focus on their most critical assets – once those are protected, you have already adopted a Zero Trust strategy and will start reaping the benefits immediately.
There’s also a vital educational element that comes with Zero Trust. Technology is only as good as the people using it, so employees within the organization need to be on board. Our research flagged a concern amongst 32 percent of the respondents who said they feared their employees would think they don’t trust them. To tackle cultural barriers such as this one, I encourage CISOs and other cyber security leaders to raise awareness within their business to ensure their colleagues understand why certain security measures are in place and the benefits they bring to the entire organization.
ITSW Bureau: How can enterprises stop cyber-attacks and ransomware from spreading across applications, containers, and endpoints?
Trevor Dearing: As many organizations have found, traditional detection and prevention technologies are no longer sufficient to mitigate the threats posed by opportunistic actors. Information into how previous attacks were carried out only provides so much. With security teams identifying new techniques every day, enterprises need to arm themselves with stronger defenses that focus on ransomware containment by preventing lateral movement.
One such defense involves a Zero Trust approach to security, with Forrester stating that the model can reduce an organization’s risk exposure by 37 percent or more. This model eliminates automatic access for any asset (an asset could be a user, application, system, device or network), whether internal or external. It instead assumes that the context of any action must be validated before it can be allowed to proceed.
Micro-segmentation is an essential pillar of any Zero Trust approach. Micro-segmentation restricts adversary lateral movement through the network. Ultimately, it reduces a company’s attack surface by containing the intruder and preventing them from moving freely even once they have reached the target network.
Zero Trust, along with micro-segmentation, is becoming highly recognized as a strong defense against cyber threats as it limits the spread of any infection that does get through. Again, everyone understands that it is near impossible to predict when a cyber-attack may take place, where from, and with what target. But there are ways for organizations to lessen, or even eliminate, some of that risk by assuming breach and disarming attackers even if they do break through the perimeter.
ITSW Bureau: What initiatives should enterprises take to strengthen their cyber resilience?
Trevor Dearing: Our mantra is always to plan for the worst and assume breach. This means organizations need to assume all networks – and their applications and devices – are insecure and that the organization has already been breached. It’s essential that both users and devices are continuously authenticated and that access is granted to resources through disciplined verification.
To help support this, we recommend that organizations aim to implement a holistic Zero Trust approach that focuses on safeguarding critical digital resources and assets. As I mentioned previously, no one solution will get organizations there, but focusing on identity management and Zero Trust segmentation will launch enterprises in the right direction.
Equally, from a network perspective, visibility into communication across the network is vital as this will ensure the appropriate segmentation policies are deployed.
When done in the right way, Zero Trust can help enterprises to become more resilient, reduce cyber risk and drive digital transformation initiatives to drive their business forward.
Trevor Dearing has worked in networking and security for nearly 40 years. He has attended the birth of nearly all the technologies that we now take for granted including Ethernet Switching, VPNs, Firewalls and virtual networks. Originally an engineer he has worked in support, consulting, sales and the channel. He now holds the position of EMEA Director of Technology for Illumio.