20 Apr 2021

Putting Zero Trust into Action

Guest blog: Martin Borrett, CTO IBM Security EMEA and Jason Keenaghan, Zero Trust Strategy Leader WW as part of our #Cyber2021 week.

Trust. This isn’t a new concept. Many organizations – IBM included – talk about trust in the value statements we share with the world. Our customers demand it. Our reputation relies on it. It’s essential to everything we do.

All of our businesses strive to build reputations of being a ‘trusted partner’ or ‘trusted supplier.’ We do this:

By developing quality products that deliver valued outcomes to our customers and by delivering them reliably, however and whenever they are needed.
By closely guarding the data and personal information for every user within our business ecosystem – from employees to customers.
By striving to be transparent when things go wrong. By putting our hands up, being accountable and working quickly to rectify any mistakes.

And while these among other elements dictate how a business builds trust – good cybersecurity is how you retain that trust. When cybersecurity is integrated into every aspect of the business, it becomes part of the daily actions and routines for you and every user in the organization’s ecosystem. It’s embedded into every operation, infused into every policy and wrapped around every transaction.

But to do this right…we must change the way we think about and implement cybersecurity. Zero trust offers a better way to address the complexity in security that is challenging our businesses today.

The philosophy behind a zero trust approach is simple: Nothing is trusted. Each user, each device, and each connection into your business must be continuously authenticated, authorized and repeatedly verified.

While the definition of zero trust may be simple, executing this strategy can be incredibly complex. Numerous security tools must work together to make zero trust a reality. Different teams must communicate and agree on priorities and policies to make security consistent and effective. Information from every security discipline must be combined to inform access decisions that can be enforced quickly and to make threat response faster.

Zero trust is a journey. Where you start or where you go next is not the same for everyone. That decision is tightly connected with what you are trying to achieve – not just as a cybersecurity program, but as a business. While we have seen many organizations progress their zero-trust journey by focusing on a specific security domain, for example Identity or Network, or by implementing a specific security technology like Zero Trust Network Access (ZTNA), those clients that are most successful, and that will realize a faster return on their investment, are aligning their zero trust initiatives with their top business initiatives. While by no means an exhaustive list, there are four initiatives that will benefit greatly from taking a zero trust approach:

Securing the remote workforce
Protecting the hybrid cloud
Preserving customer privacy
Reducing the risk of insider threat

Each of these initiatives have clear business outcomes associated with them. In order to be successful, each requires strong, integrated, multi-domain security capabilities. By applying the zero trust principles of least privilege, never trust, always verify and assume breach, you can: build a workforce that securely connects and works from anywhere, any device, accessing data on any infrastructure; migrate operations to the cloud with confidence, with integrated security controls and visibility across environments; deliver dynamic customer experiences grounded in privacy and security; and reduce business disruption by responding to attacks quickly with a targeted approach.

While tools and products can help enable zero trust, they alone are not the answer. In many cases, you may already have the right building blocks in your environment to work from. Focus on the outcomes you are trying to achieve. Assess what you have available to you in your environment. Where there are gaps identified, look for a solution that can integrate seamlessly into your existing toolset. And build a deployment roadmap that starts small and iteratively builds on your foundation.

Growing and supporting a business that is built on a reputation of trust starts with a cybersecurity program that is built on zero trust. When the time comes for you to tackle the challenge of another business initiative, you will find that you are already well on your way, because you were taking a zero-trust approach from the start.