This is an excerpt from an upcoming Insights for CISOs report on key business considerations for adopting a cloud zero-trust architecture (ZTA).
Enterprise security transformation culminates in cloud ZTA adoption. It begins with recognizing what needs to be secured; identifying how, to what, and where employees connect; and setting security objectives.
Catalog the crown jewels
Start with a comprehensive audit. Identify all applications in use (including rogue use) in your organization. Wherever they may be located, identify (and stack-rank) corporate assets to be protected, e.g., the HR database, CRM, R&D servers, etc. At a macro level (e.g., group or even individual if possible), record who needs access to what, when, why, and where. At a micro level, a chief information security officer (CISO) must be able to answer the cliched question, “It’s 10 p.m. Do you know what tools your employees are using?”
This discovery effort can extend beyond assets to process: What activities or workflows—presumably proprietary ones at that—could possibly be vulnerable to attack (and therefore must be protected)? In this way, a CISO aligns security with business priorities.
CISOs without the resources to document the enterprise universe (so to speak) should make “comprehensive audit capability” a key criterion of selecting a ZTA security solution. (Some ZTA vendors even offer that mapping service as part of a sales assessment: “Do you recognize these apps?”)
Prioritize connectivity needs
Identifying an organization’s conceptual connectivity methods is fundamental to setting the stage for enterprise security transformation and cloud ZTA solution evaluation.
It starts with “how.” It may seem commonsensical, but at the most basic level, employees need to be able to connect securely to public sites and resources located on the open internet and connect securely to private sites and resources located in the cloud or in the data.
Users just need to connect. To them, whether a resource is “private” or “public” is unimportant. They just need to use it. Picture an employee with two app icons on a system desktop. One app is SaaS, the other is proprietary. The employee needs to use both and should not care which app is hosted on the open internet and which is housed in the corporate datacenter.
But the distinction between public and private access is material for CISOs, if only because the market differentiates the two connections. Zero-trust network access (ZTNA) solutions provide private access (e.g., over secured transport channels to privately hosted resources or directly to private cloud destinations) and secure web gateway (SWG) plus cloud access service broker (CASB) services secure traffic to and (preferably!) from the open internet. Note that—however it does it—comprehensive cloud ZTA deployments must secure private and public access for incoming (intrusion prevention) and outgoing (data loss prevention) traffic.
On to the “who”: Identify which stakeholders need access to what resources. Back to the crown jewels audit: What employees need access to what resources, where, and when? (“When” is presumably “at all times.”) CISOs should begin mapping policy rules. Next, identify people outside the organization who need access to corporate resources: Are their third parties (e.g., partners, contractors, customers) who must connect to the corporate data center or private cloud?
Finally, “where”: Identify from where employees and third parties will connect to corporate resources. Headquarters? Branch offices? Different geographies (with, potentially, different governance requirements)? Remote locations? (Starbucks? Airplanes? Ships at sea? Home?)
Set security objectives and benchmarks (The “bare minimum” is measurable risk, consistent coverage, and optimized performance)
There is a prevalent enterprise assumption that cyberattack risk is ineluctable, that no protection can ever fortify enterprise defenses sufficiently to stop the next attack, whatever it may be. In their C-suite-targeted book, A Leader’s Guide to Cybersecurity: Why Boards Need to Lead—And How to Do It, Thomas J. Parenty and Jack J. Domet lament such “resignation” with a rather dramatic analogy:
A fatalistic drumbeat in cybersecurity dialogue is…marked by common refrains such as “It is not a question if you will be hacked, but only when” or the oft-repeated bromide, “There are two types of companies, those that know they’ve been hacked and those that don’t know it yet.” This spirit of resignation has shifted emphasis to reactive measures for dealing with attacks once they occur, rather than prevention or detection. This approach is the equivalent of neglecting seatbelts and airbags in favor of deploying fleets of ambulances and helicopters to ferry crash victims to emergency rooms.
Cyberattack risk may always exist for the modern enterprise. But that doesn’t mean compromise should be viewed as inevitable.
An effective cloud-based ZTA environment meets three key thresholds: risk is measurable, security is consistent, and performance is optimized.
Measuring cyber risk is something everybody talks about, but on which few effectively follow through. Part of that challenge is semantic: “cyber risk” is business risk, and viewing it discretely is a mistake that leads to putting the proverbial technology cart before the business horse. As Parenty and Domet note:
Only when cybersecurity technologists understand how your company conducts business can they avoid making decisions and undertaking activities that, however well intended, don’t reduce cyber risks. And, in some cases, they increase the risks while simultaneously interfering with business operations.
Traditional network security technologies (like detection and response tools) offer only post-breach visibility, something valuable for incident response but not helpful for proactive protection. An effective cloud ZTA solution translates cyber risk into business risk. For example, most cloud ZTA solutions dashboard specific performances against threat prevention benchmarks, e.g., attack volume, flavors, source, etc. Such detail offers dynamic risk measurement and even the potential for quantifying organizational risk into proprietary (even heuristic) metrics.
Security should be consistently delivered, no matter the user, location, or connection. Many vendors offer “tiered” levels of security, with employees at headquarters enjoying different security coverage than remote users or third-party contractors. With the inability to offer blanket zero-trust-level security to all, enterprise CISOs have little choice but to limit access accordingly. That approach is no longer practical in today’s cloud-first, remote-access-enabled, device-agnostic world.
Instead, enterprises must protect all authorized access—on-site, remote, from third parties, etc.—to all resources with the same (read: the “highest” least-privilege zero trust) level of security. That should literally be a bare-minimum “floor” and a starting point for solution evaluation discussion.
Similarly, cybersecurity should not impede connectivity performance. For too long, CISOs have stacked cybersecurity functions (e.g., firewall) at the castle gates with little regard for data-traffic throughput impact and then rationalized the approach: “Sure, performance is slowed with our new VPN + backhauled linear security processing, but that’s the cost of cybersecurity.” At a minimum, a cloud ZTA solution—presumably via effective cloud access service brokering (CASB) and edge-delivered functionality—should improve connectivity performance relative to traditional network security infrastructure, not hinder it (or set it back further by introducing new latencies).
The last word
It’s too difficult to choose an enterprise cybersecurity solution. Enterprise CISOs must contend with competing strategies, philosophies, architectures, stakeholders, and service models. Meanwhile, environments grow more complex. What was once a tangible network perimeter now encompasses work performed remotely, on the open internet, in the datacenter, or in the cloud. Meanwhile, barbarians assemble at the castle gate. Cyberthreats grow more sinister, more sophisticated, and more frequent, and business risk rises accordingly. Meanwhile, a host of competing vendors shout hyperbole about the “one” zero-trust solution needed to protect the enterprise.
Enterprise CISOs face a daunting challenge in managing cybersecurity for their organization. But those who start with a discovery audit, define connectivity methods, and set security objectives take the first steps toward aligning business priorities with cybersecurity. That sets them up for success and facilitates the business considerations of a cloud ZTA solution.