Security professionals are grappling with technology evolution, ever-present cyber threats, new ways of working, and the need to reduce friction so that employees have productive access to data, systems, and applications. Zero trust is leading the change, providing a framework against which activity is assessed and authorised to mitigate risk and provide a good user experience. However, leaders in zero trust must recognise that current or classic organisational structures may be a barrier to this essential transformation. Only through cross-functional co-ordination can a zero trust initiative succeed.
Trust must shift from the network to identity
Trust used to be just about the network. If an individual was on the network, they were trusted to potentially access and view all applications and data as well as the hosts they resided on. Now, employees are on the internet often more than they are on the corporate network, accessing applications and data from everywhere. Corporate data has become more distributed and resides outside the traditional network perimeter in, for example, SaaS applications such as Microsoft 365, Salesforce, or Workday.
Zero trust stipulates that no user or application should be implicitly trusted. It takes the stance that everything is hostile, and only establishes trust based upon user identity and context, with policy serving as gatekeeper for every step of the way. It is an approach that is not only about technology. It goes beyond tools to a change in architecture and philosophy.
Fundamentally, zero trust removes or reduces trust in networks. The security maxim becomes about access. After all, home working has expanded the corporate estate, while 5G may mean future organisations do not have cables or networks at all.
Zero trust has no single natural owner
However, when we consider current roles and responsibilities within an organisation, we discover that governing the security of access comes with a problem. There is no single natural ownership of zero trust and the multiple functional owners who have a stake in it do not, individually, have the means to deliver it. Zero trust is a comprehensive security approach because it assesses that a user, the path they access through, the endpoint they access from, the environment they are going to, as well as the workload are all trusted.
Consider the inherent factors of zero trust and how they map to organisations. The first point to make is that, ironically, zero trust is all about trust, but trust that can be tested to deliver a much higher level of validation than what was possible before. In a zero trust model, activity must pass a trust test at every stage of:
Identity – Establishing trust in the person, application, or process on the other side of the connection. Some identity responsibilities sit within HR, but this tends to be an IT function.
The access path – The trusted identity must be utilised and enforced because there is no more inherent trust in routed IP addresses. Ownership here is with networks.
The endpoint – This is a security function. Internet access reduces trust in the perimeter, necessitating it instead reside with the device. However, trust in the endpoint is still continually reassessed, which is made possible by the rapid pace of endpoint control development. For example, a smart device connecting to an asset from London that then connects from New York a moment later should not be trusted. This will always be owned by an organisation’s End User Compute or a similar team.
Cloud – Cloud environments reduce implied trust in server locations. Instead, trust in the environment and host management must be continually evaluated and trust principles in remote workloads enforced. This is the preserve of IT management, server management, and data centre operations.
The workload – Protecting workloads removes trust from local network and inter-process communications. If a packet arrives that is local to a device, it is not trusted just because it is local. Instead, logic and controls are applied to assess trust. Ownership of this function generally resides with application operations or service owners.
Zero trust calls for co-ordination across functions
Several functional owners need to effect change in order to implement zero trust and, individually, they do not have responsibility for all of the tools, meaning that change, if it comes at all, may be difficult and slow.
Over time, zero trust may transform roles and responsibilities within organisations to better reflect the multi-functional impact it has. Companies would be organised less around infrastructure and more around rules because the rules of zero trust span multiple functions.
For now, notwithstanding a fundamental rethink of organisational structure, companies with zero trust initiatives must recognise that implementation is not going to be a one-stop shop. They will require co-operation and co-ordination between identity services, networks, endpoint security and application, and IT management. Therefore, strategic as well as programme management will be essential for zero trust success.
