Case Studies: CISOs Take on the 'Zero Trust' ChallengeThree Examples of How to Overcome Hurdles
Implementing a "zero trust" framework can prove helpful in enhancing security in an era when so many remote employees are accessing applications and data in the cloud as well as within internal networks. But CISOs say rolling out the model can prove challenging.
Among the key issues are:
- Migrating legacy applications to the zero trust approach;
- Identifying assets on the network and figuring out how they communicate with each other;
- Carefully defining appropriate use cases.
Three CISOs offer insights on addressing each of these challenges and share their advice on making the most of a zero trust framework. (see: 2021: The Evolution of 'Zero Trust')
Migrating Legacy Applications
Dr. Durga Prasad Dube, senior vice president and global CISO at Reliance Industries, a multinational conglomerate based in Mumbai, says he began a zero trust project by defining its scope.
"One of the primary challenges is migrating legacy applications to a zero trust architecture," he says. While the zero trust model is well-suited for the latest technologies, such as the cloud, microservices or container systems, applying it to legacy apps is much more difficult, he says.
"Legacy applications, infrastructure and operating systems are most certainly not zero trust compatible as they have no concept of least privilege or lateral movement, and they do not possess authentication models that dynamically allow for modifications based on contextual usage," Dube says.
"Another big challenge is to stitch all the components together and enable a continuous threat and risk assessment."
His Approach: Because Reliance Industries had so many legacy systems, "we did not take a big bang approach" to implementing zero trust, he says. "Rather, we applied the framework one department at a time. The first requirement was to make legacy servers web-enabled. .. Hence, we started with applications which were easy to convert into web-based applications. Once we saw success in that, we slowly moved to complex legacy applications."
The next step was to implement a robust access gateway.
"Once you are clear which applications are part of the zero trust framework, make sure that you have a robust access gateway, which can support multifactor and risk-based authentication," he says.
"While choosing the access gateway, organizations must ensure that it has seamless integration with any identity management solution. And it should function as an API gateway too. Simultaneously, implement a good solution to support microsegmentation and plan the monitoring and feedback strategy.”
Advice: Dube advises organizations to work closely with the companies supporting legacy applications to better understand their plans for meeting modern infrastructure requirements.
“Engage with the OEMs of the legacy applications to understand their roadmaps. Most of them are planning to make a shift to web-based approach," he says.
When implementing microsegmentation, Dube suggests putting the system in “learning mode” for an extended period. He also recommends choosing a solution that supports containerization.
Identifying Assets on Network
A key challenge when launching a zero trust effort is to identify all the assets in a network and figuring out how they communicate with each other, says Christopher Frenz, assistant vice president of IT security at Mount Sinai South Nassau, a New York hospital.
"This process will typically need to involve more than just the IT department," he says. "It is essential that devices such as security cameras, building management systems and other IoT and OT devices, be included in the inventory."
Frenz adds: "Mapping out network traffic flows from every device is the most complex and time consuming part of the zero trust process, but the more carefully you take the time to carry out this task, the less likely you are to break something when time comes to start putting restrictions in place."
His Approach: Frenz says it's imperative to remember that implementing the zero trust model is a long-term organizational goal - note a quick, one-off event. "Zero trust needs to be treated as more of a mindset and an ever-evolving process for how your organization is going to handle securing its systems," he says.
"Once the network aspects of zero trust are underway, perhaps you may want to consider extending the same zero trust principles to other technology layers and start implementing zero trust at the application layer."
He says security pros must have good knowledge of the current infrastructure to understand the areas where the framework can be implemented.
"The ideal zero trust approach in terms of infrastructure products is going to vary somewhat from organization to organization," he says. "The critical thing is to ensure that the approach you take will work for the infrastructure you have."
Advice: Frenz says organizations can begin the journey to zero trust even if parts of the infrastructure are not yet ready for the framework.
"Every step you take toward moving in the direction of zero trust will still result in security improvements," he stresses. "Just because 100% zero trust coverage is not possible today does not mean you should choose to ignore the security benefits on the percentage of your environment where you can begin to apply zero trust principles."
He also advises CISOs to take an evidence-based approach to information security decision making.
"For example, much of my impetus to utilize zero trust strategies came out of the simulation of a mass malware outbreak in which I learned that network segmentation was a highly effective control but that segmentation by department was not fine-grained enough to meet my security needs. It was this testing and measuring of efficacy that helped to guide the architectures I developed and what aspects to prioritize."
As hacker attacks become increasingly frequent, he says, "maximizing the efficacy of our controls is going to be increasingly critical for staying ahead of the ever-changing threat landscape we all face."
Carefully Defining Zero Trust Use Cases
Ashish Khanna, CISO at Oberoi Group of Hotels in India, says understanding the correct use cases for adopting a zero trust framework can prove challenging.
"CISOs often do not invest enough time in understanding the various use cases of zero trust. Rather, they tend to adopt zero trust framework and then define uses cases. It should be the other way around," he says.
"The zero trust ride tends to be a lot easier if you have invested enough time and energy on the information gathering - which system and identity needs what access.”
His Approach: Khanna says security teams need to draw a framework based on the identities of various endpoints.
"Before beginning the zero trust journey, one needs to have a clarity on the scope and expectation from the framework," he says. "For example, if you want to start with the identity piece first, then you have to choose the technologies accordingly. We can’t choose the technology first and then decide on what infrastructure to put in for the zero trust framework."
He says a service-oriented zero trust approach is better than an endpoint-initiated approach.
"The idea is to give organizations as well as employees the flexibility that is available in a service-oriented approach. The endpoint-based approach allows only a particular machine to be connected, taking away the freedom or independence of users to connect from anywhere."
Advice: Khanna advises organizations to "have a clear understanding of the various identities which you need to access from outside and ensure you choose the platform which provides you a combination of tools." As a result, he recommends that organizations adopt Secure Access Service Edge, or SASE, technology.