How to Establish an Effective Zero Trust Strategy

Jens Koegler Civilian Government

Originally posted on http://www.vmware.com by Lori Pierson

Security breaches have become the norm within IT business. If it’s not malicious code buried in software or ransomware attacks, it’s simply people making mistakes. Breaches are costing organizations significant dollars and threatening the security of our digital systems. Those digital systems are used to safeguard our medical history, provide critical infrastructure, and ultimately are used to make life and death decisions in protecting our borders. These systems are at serious risk from entities that are focused on nefarious deeds.

The latest statistics indicate that data breaches cost organizations on average $3.9M. The more chilling fact is that the attack surfaces are increasing exponentially with remote work becoming more accepted and recognized, individuals using multiple devices to access company information, and connected devices expanding. Industry guidelines indicate by 2023 there will be over 500 million digital applications and services deployed in cloud environments, all providing a possible opening for malicious actors to gain access to our systems.

The topic of security within the industry has become such a concern to all aspects of our connected life that the President issued an Executive Order (EO) to improve and protect the nation’s cybersecurity and federal government networks. The EO outlined very ambitious steps for the federal government to embark in moving towards a modernized security model. The cornerstone of this modernization in security is based on a Zero Trust architecture. To learn more, please review this blog post: Achieving Cyber Vigilance with Zero Trust | VMware Security Blog.

Federal agencies have been given an order to move towards a Zero Trust architecture. Vendors are quick to sell organizations a simple solution that provides the fix to all their security needs – but it’s not that easy.  Zero Trust is an organizational initiative that requires a team sport mindset to be successful.  The team includes End User Services, Networking, Operations, Application Developers and, not to be left out, the Security Team. It needs to address each and every facet of an IT environment, from the devices and access through the network, to the applications and data, regardless of where it is operating. Each of these teams likely already has some type of security product(s) operating today. On average there are 75 security products operating in an organization today, all working to solve the threat of a security breach. Each of these products has its own agents, sensors, and policies collecting overlapping data and “trust” authentication. A Zero Trust architecture must, not only modernize, but consolidate controls and provide that single source of “trust”.

When it comes to implementing a Zero Trust architecture, it’s not a one-size fits all, nor is it one piece of software that addresses the requirements. It is important to understand your existing IT architecture (to include identity management), know your applications and infrastructure, understand context, and assess organizational culture changes needed to effectively implement a Zero Trust architecture. Seeing an alert for an IP address isn’t helpful, especially in the cloud. But seeing an alert for an application server providing city water services to citizens that was just changed is very helpful. It is also necessary to detect anomalous behavior and steps in place to minimize impact. The goal is to achieve a higher level of cybersecurity readiness in an effort to thwart malicious activity.

Most organizations have begun a Zero Trust journey, whether knowingly or not. It’s not a single product or a discrete recipe for Zero Trust. It’s an ongoing journey within your systems and, just as importantly, within your organization. You need a software provider that can enable Zero Trust where you need it, leveraging your existing investments and applying the Zero Trust concept to systems within your environment across clouds, edge, user, and endpoints, without unnecessary policy and technology friction. You also need a partner that has done it before.

In 2015, VMware started on its Zero Trust journey. Like most large enterprises, there were multiple teams involved, each with their responsibilities and autonomous decision making. In 2017, VMware had made progress by micro-segmenting several already deployed applications within its datacenter, but was looking for an opportunity to accelerate its Zero Trust efforts and drive towards making micro-segmentation the new normal in the data center. Read the blog post:  How VMware IT Achieved Zero Trust in the Data Center. What better confidence builder is available than working with an organization that has gone on a Zero Trust journey and continuously built towards a mature Zero Trust architecture (organizationally and architecturally)?

Security breaches are here to stay. If it hasn’t happened in your organization yet, it will. In most cases you are reacting to the situation instead of being proactive and establishing the mind-set for security with Zero Trust. You need to have the confidence in your architecture, your software products, and your team that you have done all that you can to reach a mature Zero Trust architecture. VMware has solutions to meet clients’ Zero Trust requirements from the edge, to the cloud, and everything in between that work in connected use cases.

Jens Koegler

Jens Koegler is VMware's Healthcare Industry Director in EMEA. He is helping our healthcare customers develop and run modern applications to drive innovation and ensure better patient care through a digital foundation that includes data center, hybrid cloud, mobile, networking and security technologies. VMware plays a strategic role in the healthcare industry. Its leading innovations in enterprise software help ensure consistent patient care and reduce IT access time for healthcare professionals so they can spend more time with their patients. Jens plays a key role in helping customers understand how new applications, devices, the latest IT technologies and digital transformation are driving innovation in healthcare.