The Journey to Zero Trust

Dan Constantino, AVP, Cybersecurity, Cox Automotive

Imagine a world where you can buy a single tool that can solve multiple security use cases, decrease tech debt and provide business value. The answer is “YES,” there is a magical tool that can do this, and it is called SASE (Secure Access Service Edge). Before I talk about my team’s journey into Zero Trust, let’s explore what could be a few common problems you may be looking to solve with your Zero Trust project. How tosecure the “work from anywhere” workforce, improve user experience with remote access, consolidate point product security solutions and lower tech debt.

Today’shybrid work environmentis challenging how companies can secure their workforce with employees accessing business resources from anywhere. It is absolutely crucial to secure the remote workforce, so they have ease of access while providing the same security posture regardless of where they are connecting from. Relying solely on legacy VPN technology tied to physical datacenters requires companies to backhaul their end user traffic on premise. This offers employees a less than ideal network connection experience, so why not point them directly to the cloud and improve their accessibility. Most organizations maintain a large collection of point products which require consolidation, so why not bring them together in a cloud-native solution and decommission legacy on prem security solutions.

The technology to solve these and many other challenges is SASE. SASE is the convergence of Security as a service and Network as a service in a cloud-native security stack. The capabilities include but are not limited to web filtering, threat protection, sand boxing, fire walling, CASB (Cloud access security broker), UEBA (User and entity behavior analytics), FWaaS (Firewall as a service) and ZTNA (Zero trust network access)and will depend on the solution provider. This technology is quite costly due to the many use cases it can solve and that it does not require any hardware to rack, stack and configure.

"It is absolutely crucial to secure the remote work force, so they have ease of access while providing the same security posture regardless of where they are connecting from"

How do you proceed from here? While this may sound great from a security perspective but how can you obtain funding for this project from the C-suite. The first step is to build your business case to include the value the solution provides and the business outcomes it improves. There are multiple dimensions to this, so I’ll do my best to simplify the approach. First and foremost, this technology can replace legacy firewalls, VPNs, SDWAN (software defined wide area networking) --so I’d recommend building an inventory of what can be replaced and how much these devices cost to own, manage and maintain. This should be part of your cost justification for the purchase. It should be noted that savings on the project will take time, and you should allow for a three-to-five-year timeline to project estimates for cost savings. Second, SASE enhances productivity and the user experience with improvements to remote access—faster connection speeds, less latency and reduced time to authenticate/ MFA. These improvements will also reduce your IT helpdesk calls and support volume and is a real cost savings to consider in your business case. The last part of your business case which is the hardest to calculate is the reduction in risk that this advanced security will provide the organization for defending against ransomware, phishing and data exfiltration/compromise. When you have finalized your business case reflecting business outcomes and value to the organization, you are now ready to socialize with your Executive teams to obtain alignment on your approach and buy-in for your solution!

Now that you have the business buy-in, let’s discuss how to implement SASE.

 It is important to have a dedicated tiger team to work on this major change initiative that will require a significant time commitment. You’ll also want to engage your shared services teams (Networking, Engineering, Infrastructure) as they are critical to the integration and project outcome. Since the security features and benefits are typically of less importance for employees, your next challenge will be convincing them to activate SASE when deployed to their devices. An effective approach when marketing to your employees is tore brand the solution– deemphasizing the technology used.Rebranding upfront offers you the flexibility to seamlessly replace the technology in the future and eliminate the need to rebrand your documentation and marketing materials i.e., Executive presentations. If you are in a large organization with many products and business units, you will want to take a strategic phased approach for your deployment. Start with your IT organization and perform phased pilots to work out any issues that may occur. After each pilot leverage employee feedback surveys so you can understand pain points and how you can iterate and improve with future planned deployments. It is vital to meet with your IT stakeholders from each business unit prior to deployment. This first step is key to understanding access requirements specific to their users so you can build out Zero Trust access policies and only provide employees withthe access that is needed to perform their work. You should build access policies slightly more permissive on a business unit-by-business unit basis and create one policy for technical users and one policy for business users. When the access policies meet youruser’s requirements you can slowly enforce additional security controls around their access and threat protection features. As you communicate to your employees to enroll into the solution you should be transparent with what you will and will not be monitoring. This is an area of concern for many employees who may perceive this as a tool monitoring their internet activity.

And finally, you should create KPIs to show the value of the solution to your Executive team as you deploy it to maintain their buy-in. Some of the key metrics and outcomes that show value are number of advanced threats blocked, number of applications securely accessed, decommissioning of legacy equipment with cost savings, reduction of helpdesk calls to re-image or password reset, etc.Keep in mind, a Zero Trust implementation is a journey and not a destination. It will take time, effort and resources. The steps I’ve outlined above willlay the foundation for a successful deployment of your Zero Trust project to add security value and enable the business.