Security news that informs and inspires

Zero Trust and Digital Transformation

By

Digital transformation is high on every CEO’s agenda.

Digital transformation would allow the company to adjust quickly to changes and improve their ability to respond to customer demands. It will also encourage an ecosystem where partners and suppliers can collaborate. There is a belief that not adapting to the new technology-driven world means the business will eventually fail.

The technology trends driving digital transformation are all-too-familiar. IoT will be ubiquitous and not restricted to industrial systems. BYOD and user mobility may be well-established, but they will become more widespread as people change how they work and the use of widely spread ecosystems become the norm. And of course, cloud will dominate. Why build your own data centre? It won’t make sense.

I hesitate to think of the state of their firewall rules.

There is a lot of extant technology that needs to be moved into the new world. The choices are to consolidate applications or retire existing applications in favor of new cloud-based versions.

This will not be as easy as it seems. IT transformation never is.

I recall one organisation which calculated that it had a total of 600 enterprise applications across the business before beginning the cloud migration. A year later, only eight of those applications had been successfully moved to the cloud. I hesitate to think of the state of their firewall rules.

Decisions need to be made to consolidate applications or retire current ones in favor of new cloud-based entrants.

Where does cyber resilience fit in with digital transformation? The enterprise still needs to ensure it is in a position to both mitigate risks arising from the change and benefit from new opportunities. This will mean keeping the business running, changing and agile whilst maintaining security and reacting to the inevitable compromise.

Transformation is never as easy as it seems.

The first step is to ensure that there is a framework for senior management--such as the guidelines set by the World Economic Forum--to assess the risks of emerging technology. These rules address the enterprise at a design level and across the ecosystem.

  1. Awareness of technology risk
  2. Resilience by design
  3. Acceptable level of security
  4. Vendor cyber risk management
  5. Lifecycle security management
  6. Data Privacy
  7. Ethical considerations
  8. Continuous improvement of controls
  9. Ability to adapt to change

These guidelines provide enterprises with a governance structure required to oversee the fluidity of digital transformation initiatives. They address the enterprise at a design level, across the ecosystem, and incorporate the ability to change and adapt.

When looking at core operational steps to be taken to provide cyber resilience, the Boston Consulting Group recommends thinking carefully about the design, implementation, and configuration of your company’s technology system—especially access rights.

This includes role-based access management to keep users away from applications and data they don’t need to use, and control over those with higher level privileged access. This may sound like common sense. However, it is often a failing in enterprise organisations where the JML (Joiners, Movers, Leavers) process lags behind reality.

This will not be as easy as it seems. IT transformation never is.

Zero Trust is a step in the right direction as it addresses the guidelines for emerging risk and follows key operational steps. Zero Trust gives enterprises the ability to assure identity, assess the end point, and control user access to application and data through a central set of policies. It will support the enterprise as it starts the long haul of migrating to the cloud— when core applications have to access non-heterogeneous environments. It will reduce the vulnerability to attack from accounts with compromised passwords or a less than efficient JML process.

But perhaps one overriding benefit of Zero Trust for the CIO would be the removal of a security block in the path to transformation. To be able to roll out or implement a new application with clearly understood risk controls in place in a timely fashion will be invaluable. It reduces the risk of project overruns with all the embarrassment and cost that produces.