We read and hear about cyberattacks on companies in the media all the time. When it comes to cyber security, Siemens relies on Zero Trust. In what way can the concept provide better protection?
Thomas Müller-Lynch: In the past, we relied on perimeter security just like other companies: Employees logged into the intranet and were able to access all information and applications. The intranet acts much like a moat that is there to protect the company. However, if someone from the outside makes it across this frontier, they will have access to everything as well. And once ransomware is on the intranet, it can spread unhindered. With Zero Trust, we check the identity of users and devices with every access attempt. This means that the level of protection offered here is many times higher. Moreover, we are replacing our intranet and are becoming much more flexible, as accesses do not depend solely on the network, as was previously the case with the computer in the office.
Dr. Jan Ciupka: That said, the “Zero Trust” approach should not be taken literally. It does not imply that there is “no trust at all,” but means that trust is not given without reason. Every data flow must demonstrate its legitimacy through authentication and authorization. This applies regardless of whether users are accessing an application, whether machines or servers are communicating with each other, or whether services, sensors, or functions are involved. Access is granted dynamically based on an internally defined risk assessment. As well as providing greater security, this also offers other benefits for companies. For example, organizational changes can be implemented more rapidly because the IT environment becomes more flexible, while the accompanying modernization of the IT infrastructure can reduce costs in the long term.
Thomas Müller-Lynch is Global Director Digital Identities for IT at Siemens and is responsible for Zero Trust and digital identities in addition to numerous cyber security & IT infrastructure projects. As a program manager, he was also responsible for the global implementation of Office365 and Microsoft Cloud Security at Siemens. Thomas Müller-Lynch has been shaping the evolution of these topics at Siemens for more than 25 years and reports on them as a speaker at specialist industry conferences.
If Zero Trust offers so many advantages, why haven’t all companies long since adopted it?
Ciupka: Although the concept is not a new one, it has taken some time for the significance of the Zero Trust principle to be internalized by companies and implemented soundly in the first products and solutions. In addition, Zero Trust is an architectural blueprint, not a technology that you can simply introduce or migrate to in the short term. Integrating processes, systems and infrastructure takes time. Furthermore, a number of prerequisites must be met. For example, there must be transparency regarding all physical and virtual assets, processes, and existing IT security measures in the company. In my view, the fact that Siemens is already this advanced in this field is due to the fact that the topic of cyber security has long been a high priority here. Investments in this area were made at an early stage, thus paving the way for Zero Trust.
Müller-Lynch: Indeed, we took the first steps in this direction early on. One of the things we did with Comma Soft in 2013 was to start consolidating and modernizing our aging Active Directory to lessen our attack surface. This was followed in 2017 by the introduction of Office 365 and shortly thereafter the “Enhanced Microsoft Security” project. This was the foundation on which we had already implemented Zero Trust for Office 365 at that time, without actually calling it that. This then evolved into the global Zero Trust program for Siemens. That said, if we hadn’t started this journey a few years ago, we wouldn’t have the scalable and secure office landscape we use around the world today, and we’d be in a break-neck scramble to evade cyber-attacks. As I mentioned earlier though, it is an ongoing process rather than a “big bang” for us. On the whole, the aim is for more and more to take place in the cloud, to be further optimized, and for Zero Trust to be implemented in operational technology (OT) as well.
What are the benefits if Zero Trust is also implemented in operational technology?
Müller-Lynch: When people think of cyber security, they usually associate it with attacks by humans. But communication between machines is also relevant. True security requires a holistic approach to identity assurance for users, devices, servers, and apps. Which is why machines in factories are also part of the equation. Here, the problem is that technologies that are more than 15 years old often come up against modern IT. Therefore, in addition to modernizing the IT landscape, it is also important to modernize the operational technology in factories so that Zero Trust can be successfully implemented.
Ciupka: Or a stronger amalgamation of IT and OT solution providers cooperating with each other and adhering to common standards. In any case, the support of a company’s entire IT organization and long-term planning are necessary. The complexity and effort involved can often appear to be an almost insurmountable hurdle, and can therefore act as a deterrent at first. Ultimately though, the company’s complete data can be protected, making the process worthwhile. And in the absence of this data, how is anyone going to make forecasts, automate processes, and implement AI cases? IT security goes hand in hand with this; it creates the secure basis needed for progress and innovation.
Does this not raise the question of whether companies are overstretching themselves with such a project? Especially with a view to medium-sized businesses?
Müller-Lynch: It is clear that a corporation like Siemens has a very different capacity profile than a medium-sized company. But we have support, too: Hyperscalers like Microsoft and Zscaler develop solutions that we use, to name a couple of examples. Admittedly, we also have to make adjustments here. A fledgling product may already work for 300 users, but we have thousands of times that number. If a solution is not yet business-ready, it needs to be developed further before we can use it. Here, we call on further support from partners such as Comma Soft.
Ciupka: Yes, this is where my colleagues and I gladly come in and find ways of developing technologies further and adapting them to suit individual demands. But if you take this example, it also means that there are modern solutions that can work in the medium-sized business sector and that medium-sized businesses can benefit from experience in the corporate environment. And: what I can scale up, I can of course also scale down.
It’s also important to keep in mind that while Zero Trust is a lengthy journey, successes do not just become apparent at the end of the process. MVPs enable rapid effectiveness and operationalization. Additionally, strategic interim goals help to keep an eye on profitability, which plays a major role in security projects in particular. These can be used as indicators of improvements in the areas of security, identity & access management, monitoring and authentication, even if the switch to Zero Trust has not yet been made in all areas. Ultimately, it is the many small steps that bring a company forward in the long term.
Which further insights are there from which other companies can benefit?
Müller-Lynch: Do not take on too much at once. It is better to proceed in small steps. This requires patience, of course, but in the end leads to a more solid result across the company. So first consider the scope and see at which point what should be introduced or modernized first. Along the lines of the motto “Think big, start small.” Additionally, from my point of view, it’s important not to rely on just one provider or partner. There is no such thing as a one-size-fits-all license; companies and even the “Zero Trust” endeavor are too individual for that. And last but not least, a partner with experience in technology, the architecture, and custom implementation is a helpful asset. After all, Zero Trust and cyber security as a whole should always be introduced and pursued on an individual basis.
Would you like to learn more about how Siemens and other companies are tackling the issues of Zero Trust and cyber security, or would you like support in implementing them yourself? Please feel free to contact Dr. Jan Ciupka and his colleagues: you can get in touch with them here.