Zero trust: The trusted model for secure data-driven business

This article was written by Arvind Raman, CISO of Mitel.

The pandemic has accelerated the evolution of Chief Information Security Officers (CISO) from traditional gatekeepers to business enablers and strategic counselors in our new, increasingly cloud-centric hybrid work environment, but this doesn’t mean we make security secondary. To the contrary, it’s heightened the need for a CISOs expertise. The massive shift to cloud adoption is leaving legacy organizations vulnerable to potential breaches, and security chiefs must find solutions that both protect and provide access to the important information that drives critical business decisions.

Many are turning to a “zero trust” model to protect this critical data on which the business runs — in fact, 82% of senior business leaders are in the process of implementing this model, and 71% plan to expand it over the next year. Why? The name says it all. Zero trust doesn’t count anyone out as a threat. It’s about verifying and mitigating threats across hybrid clouds and edge devices both internally and externally.

From traditional IT security to zero trust

With a new business paradigm, CISOs are moving away from a traditional, react and respond IT security strategy to one that’s more proactive and supports long-term business goals. Traditional IT security models trust users who are inside organizations’ networks. Zero trust verifies users at multiple checkpoints to ensure the right person is receiving the right access.

In traditional IT environments, hackers can easily break through firewalls with stolen/compromised usernames and passwords causing data theft and reputation damage. When implemented effectively, zero trust allows authorized users to seamlessly and safely access company information from any device anywhere in the world.

Think about zero trust like airport security checks, especially for international travel. To lessen threats and limit potential risks, we go through multiple security checkpoints prior to boarding. Once authorized, a zero trust model gives users access to only the data they need to do their jobs. This limits sprawling data surfaces and reduces areas of attack, which is important when weighing the growth of data with the challenge of understanding where data lives. The pandemic further accelerated the rate of data creation yet according to IDC, just 2% of that data was saved and retained in 2021.

One of the biggest hurdles organizations face when implementing zero trust is lack of full visibility into an organization’s data and assets to begin with. Organizations with legacy infrastructure may have a tougher road in implementing zero trust but is definitely doable. The Biden administration’s recent executive order on the zero trust model as the answer to the post-pandemic security landscape has made doing so a business imperative.

CISOs must establish maximum visibility into their organizational assets and work with internal teams to implement the principles of zero trust. What is most important to the organization for security? Balancing business needs and user experience are the key components to customizing zero trust. To effectively meet both needs, CISOs can ask the following questions:

• What are the business objectives? What are the top security risks impacting the business objectives and how can they be managed?
• What are the most important data assets in our organization? Where is the information stored and is it vulnerable?
• What’s our current access management process? What’s our device access management policy? What should it be?
• What security gaps do we need to fill, and in what order?

With these answers, CISOs can begin to create an effective risk management framework using zero trust across the applications, networks, and end points. A well thought out zero trust plan allows security chiefs to analyze, provide critical data and advise senior business leaders on strategic decisions that affect organizational goals.

While IT professionals and CISOs cannot control the physical environment, we can control the digital environment and be an enabler of secure business, versus being viewed as a blocker. Zero trust is the right way forward.

Arvind Raman, CISO at Mitel, is a cybersecurity and zero trust expert who thinks so and can share guidance on what business leaders can do to implement the practice efficiently.