Business, Technology, and Enterprise Security
Why Business Organizations Must Implement the Zero Trust Security Strategy and Execute It Diligently
An overview of the problems, market trends, and practical tips to implement security solutions in enterprise architecture and digital transformation initiatives
This is my first article on this platform written in a white paper style to make it valuable for enterprise architects and business decision-makers, including CTOs, CIOs, CDOs, CISOs, R&D directors, and other executive-level stakeholders of prominent business and government organizations.
My goal is to share my experiences gained working as a Trusted Advisor (Enterprise Architect and Senior Solutions Architect) across various industries and business verticals — mainly focusing on Digital Transformation, Data Architecture, Cloud Solutions, and Security Transformation Business Initiatives.
I leveraged credible industry and academic white papers I reviewed and used during my R&D on Zero Trust Security Strategy Implementation to articulate my points.
As a seasoned enterprise architect in the industry, firstly, I want to highlight that enterprise architecture is not just about technology solutions. We must also consider People, Processes, Business, Security, and Data. I will explain these critical points in this article.
Cybersecurity Threats are continuing to increase, exploring any opportunities to seek vulnerability endpoints within organizations’ ICT infrastructure.
Cyber Threat Actors continue to launch attacks such as faking login pages, running persistent campaigns, introducing advanced malware, and consistently executing phishing in any possible touchpoints — endpoints, cloud applications, and network infrastructure.
According to the Zscaler Ransomware Report, between April 2022 and April 2023, the number of ransomware attacks has surged by 37.75%. With ransomware extortion attacks, the number of infected victims soared by 36.68%. There is also an emergence of encryption-less ransom attacks.
With increasing Cloud Adoption across the globe due to a new paradigm shift of market trends in the provision of highly resilient, highly scalable, highly performance, and highly performant Cloud Platforms, Security, Networks, and Infrastructure, the business systems ecosystems have changed from the traditional On-Premises Data Centres solutions to Multi-Cloud Multi Tenanted on Premise Ecosystems.
Added to the complexities of Digital Transformation, user devices such as Mobile Phones, Tablets, and Laptops across different geographical locations are becoming an increasing norm for a single user.
Because of the diverse users’ devices and touchpoints, how do you properly supply safe and secure access to the organization’s mission-critical business systems and access to personal SAAS applications?
Users and Customers all want the flexibility of BYOD (Bring Your Own Device) and CYOD (Choose Your Own Device), so how do you develop a secure E2E Authentication and Authorisation Security Implementation Strategy, Controls, and Policy and at the same time adhere to PIM Privileged Identity Management and PAM Privileged Access Management to secure Business Sensitive Information as well as Private and Confidential information.
This gives rise to the need for organizations to define, develop, and implement Zero Trust Architecture Strategy and re-think a roadmap to achieving the Digital Security Transformation.
It is an Enterprise Architecture initiative where Enterprise Architects and Business Architects need to work closely with C Level Executives, Board of Directors, Business Sponsors, Business Leads, and Key Business and Technology Stakeholders to get all stakeholders to understand the issues and complexities of the problem and the difficulties in executing the digital security transformation.
However, it is still a Business Decision whether the organization can embark on the Zero Trust Strategy Implementation journey, as many business program initiatives need funding, and the Zero Trust Strategy initiative needs to be on the priority list.
Hence, it needs to be driven by the C-Level Executives and Buy-In from the Board of Directors to ensure full organizational support, commitment, and alignment with strategic & operational drivers.
The total costs of shifting to a Zero Trust paradigm are incredibly high, and the approach to tackling the problems needs to be discussed and focus on Enterprise Security Planning. The Approach to the realization of Zero Trust Network Architecture ZTNA is critical to the success of the modernization goals.
According to R&D companies such as Grand View Research, the global market size of Zero Trust Security is estimated to be USD 24.84 Billion, and the expected Compound Annual Growth Rate (CAGR) is 16.6% from 2023 to 2030.
This also stems from the COVID-19 pandemic, where remote working is becoming a norm, and organizations are seeing this as a significant advantage for organizations to reduce procurement infrastructure costs by moving towards BYOD or CYOD strategy and hence driving the growth of zero trust security.
The rise of BYOD and CYOD allows employees to access business-critical information and Cloud SAAS applications, thereby increasing the chances of data theft and loss.
This new user landscape increases the number of potential threat actors continuously watching and finding ways to penetrate corporate networks. Hence, implementing BYOD and CYOD security strategies, solutions, standards, and policies is particularly important.
Importance of Data and Information Classifications
The Traditional Approach to Enterprise Security is all about setting up Perimeter Security and safeguarding data and information from Cyber Attacks and inadvertent network infrastructure penetrations.
Most organizations are too busy to keep the lights on and continue to work on Digital Transformation Business Strategies to enhance their business through increasing ROI Return on Investment, improving CX Customer Experiences, improving business operations through business automation, and improving EX Employee Experiences to improve productivity as well as keeping them happy.
Data and information from all data sources, different systems, from B2B, Government Agencies, Consumers, Customers, IOT Streaming, social media, and Regulatory Compliance Bodies.
Some are Commercial Business Sensitive Information, some are consumer private and confidential information, and some are shareable between business partners only, whilst some are shareable between customers only, and others are publicly available information.
Data and Information are available in all shapes and forms — Structured Data, Semi Structured Data, and Unstructured Data and come with different Variety, Velocity, and Volume.
Many organizations are struggling to know where they are clearly and often must spend time discovering which assets and what type of data to be compliance with regulatory compliance bodies such as ASD ACSC ISM, NIST, ISO27001, GDPR, CDR, Open Banking PSD2, PII, HIPAA, HL7, PCI/DSS, FATCA/CRS, AML/CTF, KYC, etc.
Data and Information are from business systems and in Emails, MS Access, Share Points, Content Management Systems, Files, Archives, and many more. Do all organizations have a clear snapshot of all their assets and mapping to all their data and information? I would say NO.
Many Data and Information Classification tools use AI and ML to help classify the massive Data and information Landscape and, therefore, implement better and more granular data security controls depending on their classifications and adhere to the Data Security Regulatory Compliance mandates.
Implementing Zero Trust Security Strategy and Transformation
Developing an organization’s Zero Trust Security Strategy and Transformation is not as easy as one would think.
You need to carefully analyze, learn, and devise a strategy to replace your current security technology solutions stacks or overlay the legacy security solutions — would this create a monster and introduce more complexities, or do you start from nothing? What’s the ROI? Why do we need to do this?
Implementing Zero Trust Security Strategy still requires all the existing implementations of security controls such as Enterprise IAM, SSO, MFA, Phishing Prevention and Awareness, Intrusion Detection Prevention IDP, IPS Intrusion Prevention Systems, Data Security, DLP Data Loss Prevention, SOC 1 & 2 and other compliance mandates.
Below is an informative diagram from Gartner showing a High-Level Zero Trust Security System — A Simplistic Viewpoint for Architects and Business Decision Makers.
An Overview of the Current State
· Heavily focused on perimeter security controls
· Organisations’ Culture of “Implicit Allow”
· Lack of Enterprise Corporate Policies which enforce Least Privileged Access
· Coarse-grained security access
· Network segmentation is at a high level broadly segmented between network tiers.
· Applications are allowed to be rolled out in Production with limited security controls.
· Authentication is still based on weak single-factor authentication. In many cases, applications are still being developed using basic username and password authentication.
· Traditional network connectivity is still being used.
· “Implicit Allow” access across different business systems workloads (East-West Traffic)
· Some application securities are still not using Enterprise Users Directories such as Azure AD or Microsoft AD despite best practices that are widely available.
· Islands of disparate security directories, LDAP directories as legacy systems are still not being decommissioned.
An Overview of the Target State
· Finer grain access and authorization to resources after Authentication
· Continually performing trust assessments to minimize risks.
· Micro-segmentation of access boundaries between users, applications, and workloads
· Full encryption of network connections to protect data on transit.
· Explicit allow access to applications and workloads for fully authenticated and authorized users.
· Full logging and monitoring of user activities across all devices and locations
· Strict adherence to the latest Top 10 OWASPs Security Vulnerabilities and ensure proper DevSecOps principles and standards are being applied.
· Use of Confidential Computing environment for highly commercially sensitive information in particular accounting and finance
· Start implementing decentralization of databases and distributed data ecosystems security solutions as new Digital Ecosystems such as Microservices Containerisation Style Architecture and Distributed Digital Block Chain Ledgers have been developed across new DEFI Decentralised Finance and NFTs Digital Platforms
· Start collaboration with Multi-Cloud Multi Tenanted Hybrid on Premise Ecosystems Data Exchange Fabric Providers such as Equinox to take advantage of their E2E security controls capabilities in the Next Generation landscape.
Strategic Core Technologies for Zero Trust Strategy Enablement
Data Classifications and Information Security Protection Technologies
Limiting the scope of data security protection will help organizations speed up and enhance their protection from malicious attacks, stealing sensitive information, and exposing customer privacy information.
By applying data and information classifications, organizations can first focus on these Data/Information Classes and ensure that these classes are well-protected, continuously watched, and risks are constantly being assessed, providing business confidence to both the organizations and the customers.
Varonis, Enterprise Data Security Platform solutions, set one of the popular data security platform products in the marketplace. According to Forrester, Varonis was named the Leader in Data Security Platforms in Q1, 2023.
Here are key features provided by the Varonis Data Security Platform:
· DSPM — Data Security Posture Management
· Data Discovery & Classification
· Data Activity & Auditing
· Data-Centric UEBA
· SSPM — SAAS Security Posture Management Software
· Automated Data Remediation
· Data Access Governance
· Compliance Management
· DLP Data Loss Protection
· Active Directory Security
· Insider Risks Management
Amazon Web Services AWS supplies a data classification service called AWS Macie. This service provides discovery, data cataloging, assessments of data types, labeling, handling classification tiers, and continuous monitoring of the labeled datasets.
ZTNA Zero Trust Network Architecture
Cloud-based solutions such as Zscaler provide Zero Trust Network Access (ZTNA), where users of any organization’s business applications can be accessed from anywhere in the world, with apps moving from inside the data center to outside the network perimeter.
Network and security teams must now shift their focus to the fact that it is not about protecting their networks but about protecting users, devices, and business resources.
ZTNA solutions such as Zscaler ZTNA provide controlled access to organizations’ resources by reducing the surface area for attack. The isolation afforded by ZTNA improves connectivity, removing the need to directly expose applications to the internet, which is an untrusted transport.
Instead, application access occurs via an intermediary, a cloud service controlled by a third-party provider, or a self-hosted service.
Here is a summary of the standard features of ZTNA solutions
1 — Verify Identity
Instead of trusting an IP address, establish the identity of the user and device using an identity provider (IDP) first
2 — Set Contextual Policies
Access policies are defined based on user, device posture, location, and app, and they all rely on a cloud service to enforce them.
3 — Improve Visibility and Adapt
Logs are used to determine which users are accessing which apps and auto-adapt based on any changes in context.
3 — SASE Secure Access Service Edge
Security Access Service Edge solutions provide secure access to the web, mobile, cloud services, and private applications always, anywhere the users are and no matter what devices are used and irrespective of where the applications are hosted — On-Premises, Private Cloud, and Public Cloud.
SSE Security Service Edge can be implemented as part of the SASE framework and usually includes integrated or separate ZTNA Zero Trust Network Architecture capability. This means that hybrid workers can connect at any location branch, and the extended workforce can connect via allowable devices connecting from any location.
SSE and SASE services provide advanced analytics and risk-trust scoring capabilities that enable the implementation of an identity and context-based logical access boundary around private applications and SAAS services. Remote browser isolation capabilities can also be enabled via this SASE framework.
CASB Cloud Access Security Broker
Using Netskope CASB, a core part of Netskope Security Service Edge (SSE), can give organizations and businesses more confidence in adopting cloud applications and services without compromising security. Ability to manage unintentional or unapproved movement of sensitive data between cloud app instances and in the context of app and user risks.
CASB prevents sensitive data from being exfiltrated from your environment by risky insiders or external cyber criminals who have breached your perimeter security boundaries.
For example, it can stop malicious insiders from copying sensitive content from business email to personal email accounts. In short, CASB provides the visibility and control needed to mitigate the risks in using Public and Private Cloud Applications and Services.
CASB also supplies capabilities to automatically audit your application traffic and discover the overall risk profile across tens of thousands of applications used within your Production environment.
Risk scores are based on 50 Cloud Security Alliance (CSA) defined attributes and cover seven profiles, including security, risks, privacy, and compliance, and have a +99% accuracy rate for accessing risks in applications.
Next Generation Zero Trust IAM
With the increase in Digital Transformation business initiatives globally, organizations have shifted their paradigm from the traditional closed-loop network perimeter to the modern, open-loop perimeter where apps, mobile, and tablets can be accessed anywhere globally.
In addition, organizations also need to establish trust relationships to securely enable access for various people such as contractors, employees, partners, supply chain providers, etc). This new modern perimeter needs to be protected, starting with Security Identity.
Solutions such as OKTA IAM is an example of an IAM technology solutions provider that provides comprehensive solutions set for organizations to enable Zero Trust Secure Identity.
More importantly, the world has just emerged from the COVID-19 pandemic; organizations are forced to shift to the hybrid working model and distributed workforce globally. The resources working from anywhere are now increasing, and they are all accessing resources and data (in the Cloud and On-Premises) from more devices and locations than ever before.
IAM security features such as SSO Single Sign-On and MFA Multi-Factor Authentication are becoming more of a “Have” for most organizations and with the new modern workforce frontier, according to Gartner in 2017, mentioned in a paper published on CARTA Continuous Adaptive Risks and Trust Assessment, that the new modern frontier requires more than just authentication and authorization but it necessitates continuous monitoring and assessments of the customer experience through adaptive risk-based assessments to identify potential threats.
Micro-segmentation
Logical or identity-based segmentation, now known as micro-segmentation, provides a more granular, fine-grain access and dynamic policies for controlling East-West traffic within a particular macro segmentation segment.
Micro-segmentation can have software packages, hardware, or infrastructure overlays such as Hypervisor and IAAS, where the workloads are segmented from other systems/assets.
Typically, dynamic security policies are enforced at Layer 7 of the OSI model, which follows the “Explicit Allow” Zero Trust model and thereby helps reduce the risk of lateral movement of information.
Advanced Analytics, Identification, Detection and Response Technologies — SIEM, IDR, EDR, NDR, XDR and SOAR
With an increasing number of users and customer touchpoints and the ever-changing users and customer behaviors, security monitoring and analytics are evolving as more and more data and information to be captured through API integration, Event-Based Streaming, IOT Streaming, Data Replication, Publish and Subscribed Messaging, Hub and Spoke Integration and Point to Point Integration.
SIEM Security information and event management technologies are maturing, and more options are available in the marketplace for EDR Endpoint Detection and Response, NDR Network detection and response and XDR extended detection and response.
These advanced security intelligence analytics platforms provide comprehensive user behavior analytics, alert correlation, and incident responses, and most of the higher-end security intelligence platforms now include SOAR Security Orchestration, Automation, and Response tools.
Endpoints Applications Integrations touch points and infrastructure posture can now be readily and easily assessed, and IOT telemetry data can be streamed into context-based access controls for further context-based sentiment analytics, which ultimately forms the E2E foundation of Zero Trust Architecture.
Common Organisations Problems and Challenges for Digital Security Transformation — especially Zero Trust Security Strategy Implementation —
An Overview of Technical Debt
Legacy security solutions architecture and its implementation, such as traditional network segmentation and Layer 4 Firewall Filtering and the traditional On-Premises security principles of classifying users as “Trusted” and “Untrusted* are proven to be insecure.
The assumption that everything operating in the internal organization environment is considered safe and secure is no longer viable and valid. This is because of increased attack sophistication and increased insider threats. In today’s new Digital Era, we must go into the “Zero Trust World” where the key principle of “Never Trust, Always Verify” must apply to every user, device, location, context, and situation.
Zero Trust Network Security Approach differs from the traditional On-Premises Security Controls Implementation. A more granular Micro-segmentation of networks, compute, and resources with finer grain perimeter security controls implementation of Authentication and authorization are necessary.
With the implementation of Zero Trust Security, we need to think of the Inside Out Security Strategy instead of the Outside-In Security Strategy.
Lack of Single Source of Truths from Use Identities Perspectives
So many IDAM solutions are being deployed, some On-Premises and new ones in the Multi-Cloud Ecosystems. Lack of federation between security directories. This opens more potential security vulnerabilities, endpoints, and touchpoints.
With employees constantly changing roles, security policies and enforcement need to be properly updated and often violate the fundamental principles of least privileged access and least privileged Identity management.
Organizations Resistance to Change
The exercise where External Security Providers are brought in to determine excessive security privileges for VIP end users, Senior IT Specialists, and Power Users and mitigating and changing access and authorization controls often proven to introduce lots of friction, especially from those who are used to have ownership of highly privileged accounts and suddenly getting their privileges being removed and they ended up feeling the loss of control.
This enormously impacts Change Management Workflows and Access Policies; therefore, careful planning and approach must be employed.
Lack of Skilled, Talented Resources
Most organizations will not have sufficient staff with the knowledge, skills, and capabilities to shift to the new Zero Trust Security Posture Paradigm. Even if there exists one or two who may be capable, internal resistance will prevent these internal staff from being usefully deployed. Primarily, if Insider Threats exist, an External Security Provider or contractor engagement will be more favorable and more accessible to start.
Takeaways
A well-defined scope for Zero Trust Strategy Implementation is necessary to be successful in the Enterprise Security Transformation Program.
Full Buy-In from CISO, C Level Executives, and the Board of Directors will be needed so that full support and commitment will be given to the Program.
Top-down communications at all levels “Must Be” made by all Senior Managers from both Business and Technology to get everyone on board with the “Business and Enterprise Architecture Vision.”
Develop strategies to overcome organizational “Roadblocks” through People and Culture, instilling new mindsets, getting people to embrace change, and providing education & training.
Identify business use cases based on clear “Threat Modelling” techniques and conduct workshops to brainstorm potential security vulnerabilities and threat models that pose greater risks from financial loss, reputation loss, data breaches, damages to assets, etc.
Identify legacy security solutions that can be decommissioned for obsolescence and replace them with the new Zero Trust Strategy Security Controls.
Build an HCM Human Capital Management Strategy on acquiring new Digital Talents and uplifting the existing employees’ capabilities through training, seminars, and hands-on experiences.
Identify trusted co-sourcing business partners and advisory into the journey to realize the complex business initiatives.
Conclusions
Considering the global impact and cost of cybersecurity crimes, business and government organizations need to start thinking about developing a Zero Trust Security Strategy as soon as possible with the increasing global risks of the growing number of “Bad Actors” both externally and “Insider Threats.”
You may seek an External Security Provider or Trusted-Advisor such as an Enterprise Enterprise Security Architect or Enterprise Security Advisor, to conduct thorough Current State Assessments and work with C-Level Executives and critical business and technology stakeholders to produce a comprehensive Zero Trust Enablement Strategy Paper first.
Thereafter, you can work collaboratively on the priorities, the budget, the resources, and the scope of the security transformation initiatives.
References Mentioned in This Article
How Organizations Can Adapt to Digital Transformation — IEEE
Coherent Market Insights — Zero Trust Global Market Trends
AWS Macie — Data Classification
Gartner Zero Trust Strategy and Roadmap
Gartner, 2017, CARTA Framework
Zscaler, Zero Trust Strategy, and Solutions
Thank you for reading my first article. I look forward to your feedback. You may connect with me on LinkedIn, where I write articles on Enterprise Architecture.
