Expert Talk: “Successful zero trust strategies rely on pragmatism!”

Jan, speaking from your experience as a consultant, what is the current situation regarding data security in German companies?

A glance at the recent past reveals that things don’t look particularly rosy at first. Even large corporations have virtually no way of preventing hackers from penetrating their corporate networks. The coronavirus crisis further exacerbated the situation: companies are now much more vulnerable to attack as a result of employees working from home more. Hackers take the data on affected computers and servers hostage with ransomware and demand ransoms of millions of euros for their release. And that doesn’t just apply to the big players. Medium-sized companies are also increasingly being affected. According to Bitkom, 86% of companies in Germany have already suffered damage from cyberattacks. Urgent action is called for!

What can companies do to protect their data?

The greatest risk to IT security is the human factor: weak passwords, opening email attachments or using public internet access – especially now with so much working from home – cause security incidents. This means that, on the one hand, employee-centric measures are needed to improve safety awareness. On the other hand, a company can make it easier for its employees to comply with IT security if it implements an end-to-end security concept that is also user focused.

What does this kind of end-to-end, user-focused security concept look like?

Attacks on companies come in many forms and can strike at virtually any point in the IT infrastructure, whether it be in the company’s own data center, in the cloud, or in somebody’s home office. It is therefore important to minimize the overall attack surface, without compromising the company’s ability to operate. This is precisely where an IT security strategy based on the principle of zero trust can help.

What does zero trust mean in a corporate context?

Zero trust means that trust, for instance in the corporate network, is not granted without good reason, but rather that each access and data flow is always authorized individually. Irrespective of the corporate network, “assume compromised” must be the default assumption. We have to move away from the idea of a secure network. In the Covid pandemic, we saw that working from home was not only new organizational territory for many companies, but also required new strategies for securing access to company assets for employees. However, advancing digitization and the use of cloud services also require further safeguards against attackers. Using zero trust as a security strategy helps to strengthen the resilience of the IT infrastructure, thereby reducing the risk and impact of security breaches and the loss of business-critical data.

One of the great strengths of zero trust is also its capacity to adapt to changes in corporate structures and working practices. This ranges from the transition to remote work to, for example, carve-out projects. In the past, something like this could only be realized by investing a lot of resources. With zero trust, companies can implement the associated structural changes more quickly and more cost-effectively, especially with a cloud-based platform. However, the entire structure of a company benefits too, for instance through reduced complexity, a better user experience, and improved opportunities for collaboration.

If zero trust delivers so much more security and other benefits, why hasn’t every company implemented this concept by now?

The introduction of zero trust requires the support of the entire IT organization of a company and always entails a balancing act, e.g., between usability and security. This complexity and the required use of resources initially appear to many companies as an almost insurmountable hurdle. Furthermore, a security breach is often an abstract threat that, in many cases, only comes to the fore when it actually happens. However, this is like any other investment: the initial injection pays off in the long term, and with the right strategy even in the short term. It is important that companies approach such a project from a strategic point of view. A neutral external view of the IT landscape that has evolved over the years and grown close to the hearts of many employees can be helpful. At Comma Soft, we adopt this neutral position as a trusted advisor and help companies obtain an overview of all the necessary measures, prioritize the next steps and implement them in practice.

How exactly do you go about helping a company with zero trust? What are the first steps?

Particularly for a program of this scope, we first address the strategic considerations in conjunction with the company and define them in such a way that they are aligned with the overarching corporate goals. This is because the solutions that deliver value and security adapt to the needs of the business, not the other way around. Alongside this, we work together to define the basic approach. This depends on the particular character of the company. It is easier for a service company with a large number of office workstations to implement zero trust concepts than for a manufacturing company with a lot of operational technology – this has to be approached in a completely different way.

We then take a step-by-step approach to the rollout: we identify all the people involved and which IT assets are affected, as well as key processes and any risks. This is followed by defining interim goals and initial solutions that can be achieved pragmatically. By way of example, this can entail removing office workers from the corporate network and introducing (risk-based) conditional access as a first step. Further measures are then rolled out and optimized until the desired zero trust architecture has been established. Of course, this is always done with a view to achieving an appropriate balance between security, costs and benefits. This approach means that initial successes are quickly visible, and the effort involved remains manageable.

What changes does zero trust bring for a company’s employees and how can these changes be made palatable to them?

Establishing a zero trust architecture requires the cooperation of many departments and the people who work there. Just by involving them from the beginning, we create transparency and understanding for the importance of the measures being introduced. Employees who are directly involved in the zero trust project often have a multiplier effect and can communicate the topic well within the organization. In addition to the technology, the mindset of the employees will also undergo an overall change towards a security-minded company. Here’s a simple example: when they see a suspicious http link, they are skeptical, don’t click on it and inform the IT department, which checks it. This is why we at Comma Soft always have adoption and change management specialists who guide the change and help companies create acceptance for a project.

If you are interested in learning more about zero trust, please contact Dr. Jan Ciupka directly.