On the road to Zero Trust

At the airport, at home, in a hotel room, on the road – the number of places from which people access business data and applications to get work done, are as many and varied as the cyber threats that are out there lurking, waiting to pounce on an unsuspecting user.

Gone are the days when you could encircle the corporate network, and allow a few privileged users access from the outside by tunnelling under the perimeter via a VPN (virtual private network). That approach is costly and unable to scale to meet the security challenges that have arisen with the advent of the post-Covid hybrid working environment. Digital transformation and the migration to the cloud have rendered the concept of a network perimeter obsolete.  

Hence the rise of the Zero-Trust security model, which replaces the traditional approach where everything within a defined area can be trusted, and everything outside it cannot. In a recent Gartner® report¹, ‘Outcome-Driven Metrics You Can Use to Evaluate Your Zero-Trust Initiative’ Gartner, Inc states: “A zero trust architecture removes these implicit trusts (e.g., “This user is inside my security perimeter”) and replaces them with adaptive, explicit trusts (e.g. “This user is authenticated with multifactor authentication from a corporate laptop with a functioning security suite”).”

In two years (July 2021 – July 2023), Gartner has seen a 27% increase in Zero Trust inquiries, and “By 2026, 10% of large enterprises will have a comprehensive, mature and measurable zero-trust program in place, up from less than 1% today.”.

At Spark, we intend to be among the 10%. We are on a multi-year journey to implement Zero Trust, which includes one of its components - SASE (Secure Access Service Edge). This latter term was coined by Gartner, Inc. to describe a cloud architecture model that combines network security functions (SSE) with WAN capabilities (SD-WAN) and delivers them as a single cloud service.

‍

Zero Trust is a journey, not a destination

Spark is a multi-faceted organisation – a telco, as well as one of Aotearoa’s largest providers of digital services such as IT, security, and cloud to businesses of every size throughout the country. Our data centre footprint across the country is substantial, and we are an industry leader in trending technologies such as big data and artificial intelligence.

In common with most large enterprises, Spark has evolved organically over time, we carry technical debt and we have inherited different technology stacks and operating models through our various mergers and acquisitions. Our business unit’s each present with unique situations, which our security teams need to take into account. Aligning to Zero Trust principles creates a uniform and consistent security approach across the organisation.

Zero Trust is therefore a journey, in which we have learned to walk before we can run. And it is not one in which our security team can travel solo, because it requires a cultural change within the organisation– from thinking security is something IT worries about, to understanding everyone in the business has to take responsibility for tackling the modern threat landscape.

Furthermore, this responsibility extends to business partners. Most New Zealand businesses are part of a supply chain in which confidential or sensitive data about customers is held. Therefore, everyone in that supply chain, as well as the end consumer, must have confidence that information is secure. Zero Trust is fast becoming the common standard around enterprise security maturity.

There are a number of helpful Zero Trust maturity and implementation frameworks that can be referred to, to give your business confidence that you are on the right track. These include such as CISA or CSA.

‍

Articulating the risks and benefits to stakeholders of Zero Trust

Having decided that a Zero Trust architecture will be the foundation for our security, the key to success lay in turning our senior leadership team (what we call our Leadership Squad) and Board into advocates for this approach.

It’s an age-old challenge for IT in general and security in particular – to demonstrate how we provide value, to show we are more than a cost centre. And while Zero Trust is the ultimate business enabler – because it means every user can safely carry out their work wherever they are – achieving it has the potential to be disruptive.

The quickest way to gain executive understanding is to communicate in their language – and that is KPIs.

- Zuoxin (Shawn) Wang, Spark Governance, Risk and Architecture Chapter Lead & Ahmed Ali, Spark Network and Security Chapter Lead

So, in order to gain the confidence of our Leadership Squad and Board, we created a security maturity assessment with a clear set of metrics that demonstrate our progress.

Gartner, Inc notes that “Defining and continuing to manage the scope of zero trust is critical for organisations in order to meet their goals, and not all efforts will have the same requirements.” Also “By customizing the ODMs in this research and aligning your current protection status to these metrics, you can reduce risk and deliver business-appropriate results.” .

An example that Gartner, Inc. provides is under a category labelled ‘Strength’, the metric is a “percentage of users with entitlements reviewed at least annually”, and the calculation is “number of user entitlement reviews performed in the last 12 months/total number of users”.

This ODM can be presented as a data point on a dashboard, and served up to the Board and senior leaders in a way that shows progress (or lack thereof) towards Zero Trust maturity.

‍

Process, not product, key to successful Zero Trust implementation

At Spark, we are clear that gaining Zero Trust is a multi-year programme of activity, which requires us to work alongside our business stakeholders to achieve the best outcome. But often when we talk to our customers, we find that they view it as more akin to purchasing a solution off the shelf to implement a Zero-trust solution, and then walk away.

A Fortinet survey of 570 IT and security leaders shows they are not alone. It found that “in 2021, 40% of respondents indicated that their zero-trust strategy was fully implemented, but in 2023, only 28% reported having a complete zero-trust solution in place.”

The report concluded that this indicates achieving Zero Trust is more difficult than first thought, and that many organisations are now rethinking their initial assessment. “Some challenges probably didn’t become obvious until a number of solutions were in place. Getting isolated point solutions to work together is notoriously difficult and troubleshooting workarounds can consume significant IT resources,” the report notes.

As this report shows, and our own experience attests, if you want to get to true Zero Trust, you need to plot a careful path, take your time on the journey, and bring the business along with you. The end goal being that, when your Zero Trust maturity increases, the employee logging in from the airport not only has a seamless experience but is also protected against modern threats in the process.

If you are looking to begin your Zero Trust journey or grow your Zero Trust maturity, our team are here to help you set your course.

The full Gartner, Inc. report ‘Outcome-Driven Metrics You Can Use to Evaluate Your Zero-Trust Initiative’ has been made available for Insight Engine readers for a limited time here.

ABOUT THE AUTHORS‍

Shawn Wang brings over 18 years of experience, specialising in IT Risk management, Security Architecture Design, Information Security Governance, and Cyber Security. Shawn's extensive background has positioned him as a trailblazer in the industry, consistently staying ahead of evolving threats and renowned for innovative approaches to security.

Ahmed Ali is a leader in network and security with over 17 years experience in security architecture and implementing complex technical security capabilities.  Ahmed is passionate about security being a business enabler and works with enterprise and government organisations to address business security needs through a risk-based approach to find the right balance of mitigation and enablement.

¹Gartner, Outcome-Driven Metrics You Can Use to Evaluate Your Zero-Trust Initiative, Charlie Winckless, Paul Proctor, Thomas Lintemuth, 16 October 2023.

GARTNER® is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.