Tech ‘bipartisanship’ key to reducing the attack surface
Jan 24, 2022
The pandemic was a shotgun wedding for IT and security teams; zero trust coaction can make the marriage last.
Recently, I was engaged in a strategy discussion around zero trust implementation initiatives and an independent review of controls currently in place for a customer environment. Both the organization’s CIO, CISO, and respective direct reports were to attend. At the eleventh hour, the call was rescheduled to the following week but omitted the CISO organization. The discussion proceeded without mention of the change. I was not about to pry, but it did raise questions about the dynamics between these teams. After all, they’re all tightly bound to matters concerning zero trust, risk reduction, and cybersecurity. And only as a unified front can an organization minimize its attack surface effectively.
The session was nonetheless great and focused on transformation strategy, but inevitably veered in the direction of the missing team as a key stakeholder or decision-maker, and in effect, some agenda items were parked. As I read the room, it brought me back to my own personal experiences with past challenges associated with internal bureaucracies and behaviors between IT and security. However, my past experiences suggest that this conflict is an issue of trust. As someone who initiated a zero trust project for a global organization, you need to convert conflict into cooperation between these teams.
Trust and friction make everything harder. Projects take longer. Decisions take longer. Lack of collaboration can also introduce security gaps. I’ve been successful in my past roles as the catalyst for building cross-functional teams, particularly between IT and security. Soliciting stakeholders from other respective business units is also imperative when building an organizational zero trust strategy.
Zero trust as an overarching business strategy
It is a linguistic paradox that when building a zero trust foundation, you’re actually building trust amongst your peers and colleagues. I found that sharing a unified definition of zero trust across respective teams upfront is key because as many have said, zero trust is shorthand for zero implicit trust and is tied to the ZT concept coined over a decade ago by John Kindervag, at the time principal analyst at Forrester. It proved to be a sound step in the example above.
With the shared zero trust definition in tow next we needed to figure out what trust we could extend based on the context with considerations given to business needs, cloud adoption, a volatile threat landscape, and privacy and regulatory requirements. Zero trust took on the cultural definition of context-based least privilege access. Because we started with what we knew about our environment prior to looking at technology, we simplified our goals for the project. We considered how we could increase employee productivity while supporting new business requirements and technology trends, including IT consumerization, cloud services, and access by a broader range of users.
In parallel, we sought an architecture that could prevent risk, reduce our attack surface and improve survivability in the shadow of a growing and ever-evolving threat landscape. Given our extraordinary goal, any sense of NIMBY between IT and security teams quickly evaporated. These primary stakeholders aligned to a sense of purpose and mutually assured success.
The scale of the endeavor can’t be overstated. We are talking about transformational change rather than incremental change. From a security perspective, the efficacy of our legacy security controls has been deteriorating for quite some time and evolving business usage models such as cloud adoption have expedited that atrophy. Here is where I have seen something fascinating, but completely unexpected. Whether these modernization projects were underway or in the planning stages, the risk created by the global pandemic created transformational opportunities for many organizations. Project timelines become hyper-accelerated in a need to support a fully remote workforce. Organizations that can look back and identify successes in how they accomplished this, almost universally share a common attribute – IT and security stakeholder collaboration. The requisite availability and experience requirements were put into place with acceptable levels of risk.
Breaking down the steps to make it work for you
So far, so good, but getting it done is no simple feat. What’s the best way for organizations to make the often-challenging transition to a zero trust architecture?
Most IT teams today, despite being pressured by factors like the rise of cloud computing and an increasingly remote and hybrid workforce, have yet to make the jump to zero trust. They’re aware of it, they’re conscious of the benefits, but it’s a sufficiently complex and demanding goal that they have yet to undertake.
Furthermore, no two organizations are the same; all will require a custom strategy. Yet all successful strategies will still have certain elements in common. The network team and the security team must align across technology, culture, and process.
• Technology. Network teams tend to focus on technological stability and performance—is the network topology both reliable and fast enough? Security teams, on the other hand, tend to focus on control—are core assets like apps and data accessible only on an as-needed basis, and with the right privileges? En route to a successful zero trust exchange, these teams will need to coordinate to consider the technology shift from both perspectives.
The security team may need to rethink whether it will continue to deploy and support legacy security appliances at all. While such appliances may seem like an insurance policy, in fact, they often become another potential point of attack, especially if they aren’t maintained properly. Open system ports should be detected and shut down network-wide whenever possible, and client workstations should be configured to reject virtually all inbound connectivity.
The network team, on the other hand, must rethink certain traditional access methodologies like VPNs (which are of only limited value these days). It will need to consider implementing a new proxy service. Furthermore, that service should be chosen, in part, based on network-centric questions like geography and transmission speed—a proxy service that sends all network traffic halfway across a continent and back may be too slow to be suitable. The shorter the round trip involved, the better the outcome.
• Culture. Just as network and security teams have different technological perspectives, they often have different cultures. Implementing a successful zero trust architecture means that these two teams will often need to develop a shared culture (at least a limited one) based on shared principles.
Team leaders, for instance, will typically need to coordinate to determine which best practices apply to ensure their team members have the right balance and mix of skills and to ensure that the total impact on end users is as low as possible—ideally being undetectable. Team members, meanwhile, must understand zero trust principles, how the organization will implement those principles going forward via logical stages, and what new training and skills they’ll require in advance. The better every member of both teams understands exactly what to expect and how to prepare, the more likely it is the overall project will succeed.
All members of both teams must be aligned on the value and goal of creating a successful transition away from a conventional hub-and-spokes access structure to the new zero trust exchange.
• Process. The specific sequence involved in making the jump to zero trust is a third area where network and security teams will need to align.
Broadly speaking, the goal should be to create a blueprint (a plan for change) that takes into account all the relevant goals of both teams, prioritized for business value, supported by the proxy service’s feature set, and informed by top-tier sources. Such sources include design and deployment guides, that specify proven principles and established best practices. Case studies of other companies that have already undergone similar transitions can help assess what’s worked, what hasn’t, and how/whether that applies in this case.
Toward this end, having access to a great proxy service partner (as well as its partners) can be enormously valuable. Some have a much broader range of successful customer engagements than others, and because they can leverage that insight, they’re very well prepared to work with your organization to develop an optimized roadmap of change. Most importantly, the time is nigh to create and implement the best strategy possible — one that avoids pitfalls and risks minimizes the impact to end users and service availability, and delivers the intended results as quickly as possible.
What to read next