RSA 2022: Take It From the Top: Getting Started with Zero Trust

The embrace of Zero Trust cybersecurity concepts by NIST, combined with President Biden’s 2021 Zero Trust executive order, signal that all organizations must change their thinking about cybersecurity. The first step: grasp the concept of Zero Trust.

But the journey to Zero Trust can be arduous and take years to unfold. Getting there requires strong leadership, ongoing education, executive and employee buy-in, and incremental implementation.

It’s a challenge that Broadcom Software customers are keenly familiar with given how rapidly applications are migrating to live in the cloud and the edge, with perimeters disappearing, and users now working across the globe. The Zero Trust model rests upon one fundamental tenet: don’t trust any actor, system, network, or service operating outside or within the security perimeter.

But although Zero Trust is relatively new, many of the underlying concepts are not ­– indeed, some of its underpinnings, such as least-privileged access, have been applied for many years. In fact, the origins behind Zero Trust go back nearly two decades. In this sense, what’s old is new again. The big difference is how we go about doing it.

It was a message panelists returned to time and again during an RSA 2022 session, “What is Zero Trust? What isn’t Zero Trust? Let’s Make Sense of This!”

But first, it's important to recognize that Zero Trust is not a product. You can’t press a button. Rather, it’s a strategic initiative where the goal is to get to the lowest manageable level of trust by removing what the adversary needs to be successful.

We already have the tools we need to get to Zero Trust if we use the information in a repeatable, automatic, and intelligent way. Although least-privileged access and defense-in-depth are not new, Zero Trust requires moving to the next step, which is “just-in-time” access based on roles. Basically, you get earned trust when access is required.

Start Small

The panelists recommended a tried-and-true approach to any implementation: start small and grow gradually. In practice, that means moving from any antiquated design to Zero Trust by adding endpoint agents and replacing firewalls. But those are large tasks. You don’t have to go from a rock to nuclear fusion all at once. You get one thing done and then you can see what else to do.

Their conclusion: it’s best to identify the most vital systems across an organization and prioritize Zero Trust protection for those. Before starting out, understand the critical business systems across the organization. Then find where the business makes money and start by taking care of that ‘chewy center.

The enterprise world isn’t starting from scratch. Many organizations have pieces of the Zero Trust puzzle on hand already and should put them to work. Look at what you have today. Integrate current technology to support what you are trying to do – and then start driving outcomes with what you have.”

Even though many constituent technologies like SIEM, ITSM, CMDB and endpoint management systems might already be in place, Zero Trust should integrate with them so they work better. In this constellation, think of Zero Trust acting as a central nervous system.

Faced with the daunting challenge of implementing Zero Trust, cybersecurity leaders should not hesitate to turn to the cloud. In fact, leveraging the experience of a trusted service provider can speed the process. And if you start with a service, you’re also likely to be investing way less than you otherwise would.

Cloud-based Zero Trust services can be an excellent choice for small and mid-sized businesses (SMBs). Indeed, SMBs can get to Zero Trust more easily than larger organizations that because they have smaller environments and less invested in legacy tools. Whatever rationalizations they might have for delay, smaller companies have run out of excuses not to implement Zero Trust.

Faith, Yes; Trust, No  

Not to be overlooked is the human side of a Zero Trust implementation. Faced with employees who might bridle at being told they’re not to be trusted, tact is needed. It’s not zero faith; it’s about removing trust so bad guys can’t leverage that against the rest of us.

Panelists noted that we often tend to focus on the technology and execution. But the educational aspect is very important. The best approach is to explain gently to employees that devices can be compromised and that has nothing to do with whether they the employees are trustworthy.

Over the years, we have gathered many lessons from Zero Trust implementations and that valuable experience can be instructive about what to expect in the future. So, once a leader has set the direction and gotten buy-in, an organization is well on its way. The important takeaway is to understand the philosophy and to grasp why Zero Trust should be the strategy. After all, if you can get everyone rowing in that direction, the rest will come in time.

Contact Broadcom Software now to see how we can help you achieve Zero Trust at scale.