Companies now spend an abundance of time, energy, and dollars building trust with their various stakeholders—except, that is, when it comes to those accessing their computer networks. The goal there is to thwart cyber attackers, especially as they become ever-more sophisticated. And that requires erasing implicit trust from internal networks.
To get there, the familiar “trust, but verify” approach is being supplanted by “never trust, always verify” as expressed through a “Zero Trust” security framework, with a starting assumption that all network traffic, no matter its pedigree, may be malicious. The aim: restrict network access for all users and devices, apply security controls that hide applications not required by the user, and authenticate and continuously validate identities. The ultimate goal is to enforce a risk-based and contextually aware access control posture for all network connections to corporate applications and data, whether hosted on premise or in the cloud.
The Zero Trust concept represents a dramatic shift from the castle-and-moat approach, which focuses on fortifying the perimeter to deter outsiders from accessing corporate data, while implicitly trusting insiders. In the past, IT infrastructures had well-defined perimeters. But those boundaries have grown blurry as a result of evolving business models, shifting workforce dynamics, and complex and hyper-connected IT environments. Companies have migrated their applications from data centers to the public cloud, with endpoints expanding to include mobile devices, bring your own device (BYOD) technologies, and a proliferation of web-enabled smart devices (e.g., Internet of Things [ IoT]). Far from contained, the modern technology ecosphere can look dangerously ubiquitous.
CFOs can calculate the potential costs of not investing in Zero Trust. The average cost of a data breach has reached $4.24 million, an increase of nearly 10% over last year, according to a recent study.1In instances where higher levels of remote work were a contributing factor, that cost rose to $4.96 million. High-profile ransomware threats that effectively lock users out of their own systems and demand hefty payments before giving them the key (or not) have drawn attention to the costly reputational—and possibly legal—ramifications of a cyber breach. Supply chain infrastructures, targeted through third-party software and service providers, have also been victimized. Moreover, the pandemic has likely increased finance leaders’ awareness of the cost of business disruptions, while having to equip a remote workforce highlighted the need to modernize their capabilities for enabling secure remote access.
Finance leaders in the midst of leading or co-leading a broader transformation initiative (42% of CFOs, according to Deloitte’s CFO Signals™ survey for the second quarter of 2021), for example, may want to make modernizing their security model part of that effort. And for the many businesses offering a hybrid work model, the security model needs to adapt to that shift.
In the past, well-constructed firewalls were sufficient to deter intruders. Companies now need modern armaments to fend off attackers from many endpoints, including employee devices and IoT-enabled technologies. Companies also need to secure and manage hybrid and multi-cloud environments alongside legacy infrastructures—an effort that can become mired in complexity and operational overhead, as well as talent and skills shortages. Zero Trust, which is both a methodology and a mindset, can help accomplish the task of securing an increasingly intricate IT ecosystem by applying various technologies and governance processes to an ever-challenging risk landscape.
The phrase “Zero Trust” refers to the fact that any connection request to a corporate system or network must be treated as if it were a breach. Traditionally, remote users gained access by signing on to a virtual private network (VPN). Their assigned IP address served as a free pass, enabling them to go anywhere in the network. Malicious intruders, for instance, might be able to take advantage of this unfettered access to move laterally within the network by exploiting system vulnerabilities and compromised credentials in hopes of gaining access to sensitive information or critical systems. Zero Trust Network Access (ZTNA), by contrast, employs security controls to expose only the applications a user needs, thereby preventing anybody from exploring any part of the network to which they don’t need access.
In addition, the user’s network access can be assessed, with access modified dynamically based on changing environmental conditions or user behavior (e.g., detection of malware on the endpoint may result in loss of network access or infrequently accessed applications may require additional step-up authentication). The ultimate goals of a ZTNA solution are to enforce the concept of ‘least privilege’ and contain the blast radius of a potential cyber-attack.
Prior to setting off on a transformation to Zero Trust, companies should develop a clear understanding of what they need to protect, determining where the assets that most need defending reside, who and what should be able to access these assets, and under what conditions. They should also determine the criticality of different types of data, the distinct classifications they want to apply, the environmental conditions when access occurs, and, ultimately, which users and devices need privileges to access that data. If an attempted access request looks suspicious, a ZTNA solution should be designed to block their path.
Implementing Zero Trust typically requires breaking down the company’s IT security domains into its foundational elements. Rather than even attempt to apply Zero Trust across the entire business, CFOs and other business leaders might want to analyze the seven Zero Trust domains that support IT security, prioritizing them and mapping a plan for moving up the maturity model for each. Maturing Zero Trust capabilities should take a risk-based approach to enforcing “least privilege” access, meaning that users and applications should be able to access what they need and nothing more.
Below is a list of the seven Zero Trust domains and associated descriptions within the context of this leading framework.
- Identities serve as the new perimeter and are the core component of any Zero Trust architecture. Centralize authentication and authorization to enable your workforce to access enterprise resources quickly and securely with streamlined authentication and access management.
- Workloads are applications or services being accessed by users—whether they are hosted on legacy infrastructure or in cloud environments. They can be hardened, segmented, and monitored on a granular level with adaptive actions taken in the case of risk, such as limiting access or blocking uploads to specific applications.
- Data should be at the core of an effective Zero Trust strategy. It should be classified and protected in-transit over the network, at rest when stored in the cloud, or on-premises, with advanced data discovery, encryption, and loss-prevention capabilities in place to protect sensitive data.
- Networks carry traffic between users, devices, and applications, with controls that segment (block unintended network communications), monitor, and analyze activity, operating on the assumption that all network connection requests are inherently untrustworthy.
- Devices can entail managed/known types as well as unmanaged (e.g., BYOD) and smart devices (e.g., IoT) that connect to an organization’s enterprise assets. Devices should be subjected to continuous assessment for risks and threats; the identity of each device, as well as the user logged in and other contextual signals, should be considered to inform risk-based adaptive access decisions—for instance, what applications that user frequently relies on—to catch anomalies that could indicate a potential intruder.
- Telemetry and analytics collects data from relevant security controls into a centralized monitoring system for event correlation and advanced analysis that can detect suspicious and potentially malicious behaviors. Threat intelligence should also be integrated to enable a threat-driven security posture for the organization.
- Automation and orchestration enables a more proactive security posture by automating detection, prevention, and response actions through integrated security controls. Security operations can ultimately be more productive through automation of investigative tasks in response to an ever-growing flood of security alerts. Integration of the organization security systems allows for orchestration of pre-defined incident response activities in near real-time to not only detect threats but also take action to isolate and neutralize them.
—by Andrew Rafla, principal, Zero Trust offering leader; and Henry Li advisory specialist leader, Risk & Financial Advisory, both Deloitte & Touche LLP
Editor’s note: Part 2 of this series willhelp guide CFOs in taking steps to make the transition to Zero Trust.
1. IBM Report: Cost of a Data Breach Hits Record High During Pandemic, PRNewswire, July 28, 2021.
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8
This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this publication. As used in this document, "Deloitte" and "Deloitte Risk and Financial Advisory" means Deloitte & Touche LLP, which provides audit and risk advisory services; Deloitte Financial Advisory Services LLP, which provides forensic, dispute, and other consulting services; and its affiliate, Deloitte Transactions and Business Analytics LLP, which provides a wide range of advisory and analytics services. These entities are separate subsidiaries of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of our legal structure. Certain services may not be available to attest clients under the rules and regulations of public accounting. Deloitte Risk and Financial Advisory helps organizations effectively navigate business risks and opportunities—from strategic, reputation, and financial risks to operational, cyber, and regulatory risks—to gain competitive advantage. We apply our experience in ongoing business operations and corporate lifecycle events to help clients become stronger and more resilient. Our market-leading teams help clients embrace complexity to accelerate performance, disrupt through innovation, and lead in their industries. Copyright © 2021 Deloitte Development LLC. All rights reserved.
assessment, control, and recovery operations. A Zero Trust solution requires operational capabilities that: Never trust, always verify – Treat every user, device, application/workload, and data flow as untrusted.
The Chief Financial Officer (CFO) plays a crucial part in ensuring that the investment in cybersecurity matches not only the potential risks, but mirrors the value and importance of the company's infrastructure, from financial systems to operational technology networks.
Zero Trust is a strategic approach to cybersecurity that secures an organization by eliminating implicit trust and continuously validating every stage of a digital interaction.
- Verify explicitly. Always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies.
- Use least privileged access. ...
- Assume breach.
The following subsections provide high-level information to support agencies in transitioning to zero trust across the five different pillars: Identity, Device, Network, Application Workload, and Data.
This approach includes eight (8) pillars of Zero Trust: User, Device, Network, Infrastructure, Application, Data, Visibility and Analytics, and Orchestration and Automation.