Zero trust is a new approach to network security that aims to eliminate the concept of “trusted” devices, users, or applications. It’s based on the idea that every device or user could be malicious, so it should be assumed that every connection is hostile until it can be proven otherwise.

Zero trust architecture embeds authentication into every aspect of your business infrastructure, so you always know who is accessing what data and when they’re accessing it.

And because you don’t have to make any exceptions or allowances for trusted users—because there aren’t any—you can make sure that your entire enterprise is protected from threats both internal and external.

When we look at 2022 investment priorities for CISOs, zero trust security models have jumped up in the layers of importance and focus.”

We asked some of the world’s foremost security leaders and experts what zero security means to them, and how they are overcoming challenges in implementing it.

 

Authenticating every user through IT architecture

Zero trust is an architecture and design philosophy that shifts the traditional concept of a hardened perimeter and trusted inner network to one where every user, device, and packet of data is evaluated in real-time context before being allowed or denied.

Zero trust is not a single product or category of products, but instead is an implementation of security controls and policy coupled with deep understanding and visibility into the data flowing across all of your systems regardless of their proximity to your internal network.

Migrating to Zero trust architecture is costly and time-consuming, and those costs skyrocket when you do not adequately perform the discovery, inventory, and mapping phases of preparation.

Zero trust is not a single product or category of products, but instead is an implementation of security controls and policy coupled with deep understanding and visibility into the data flowing across all of your systems regardless of their proximity to your internal network.”

 Melissa Bischoping
Director of Endpoint Security Research at Tanium

 

In Zero Trust you focus on taking the power back from those that are attacking your infrastructure and you do so smartly, over time, with a focus on business-related outcomes that are aligned with a well-crafted security strategy.

Zero trust is a strategy, period. This is not a piece of technology that one turns on and is “zero trusty”. There are technologies that can enable a ZT approach but fundamentally this is about removing the capabilities that an adversary needs to be successful following a compromise.

In Zero Trust you focus on taking the power back from those that are attacking your infrastructure and you do so smartly, over time, with a focus on business-related outcomes that are aligned with a well-crafted security strategy.”

 Chase Cunningham
Chief Security Officer at Ericom Software

 

I see Zero trust as the only path forward for IT security because it brings explicit control across all layers of the IT environment.”

Zero trust is a paradigm shift in how we approach security, not just an incremental improvement. There are three changes that happen when you move to zero trust:

  1. Authentication of everything
  2. Policy that assures good behaviour happens and everything else doesn’t
  3. Threat management becomes deeply embedded and real-time.

I see Zero trust as the only path forward for IT security because it brings explicit control across all layers of the IT environment.

 John Roese
Chief Technology Officer at Dell Technologies

 

The endpoint attack vector now moved to homes.”

You have to consider a new paradigm in how you secure that. We accelerated the journey on zero trust architecture very, very quickly and put that in place.

 Sri Shivananda
EVP at CTO PayPal

 

If I boil down what the zero trust aspect is about, it is about reducing the attack surface.”

If you do get attacked, then reduce the blast radius.

 Imtiaz Khan
Chief Information Security Officer at Roads and Maritime Services

 

 

The biggest obstacle to adopting zero trust is that it’s an architecture and all the integration burden is left to the user. “

The way we can accelerate it is by making it a shared responsibility between the industry and customer base.

 John Roese
Chief Technology Officer at Dell Technologies

 

“Zero trust is an aspiration for many organisations.”

They recognise they need to expand security down to the application development layer, but they still spend most of their time defending the perimeter.

 Matt Boon
Senior Research Director at ADAPT

Gaining buy-in to achieve security initiatives for customer trust

Do not jump ahead into “implementing a zero trust solution” if you have not done the critical foundation work of asset inventory and patching hygiene.”

If you get your inventory and patch lifecycle in top shape, your journey to Zero Trust is much easier to build on top.

One of the most important aspects of this is having face-to-face conversations with the business unit owners who use the systems you’re protecting every day. Understand how data moves through their workstream, and how you can clearly define that data flow.

This valuable exercise has two important benefits: you gain actionable insight into exactly what’s needed to enable secure workflows for the business, and you are in a unique position to identify opportunities for efficiency improvements and removing bottlenecks.

Build solid foundations. Do not jump ahead into “implementing a zero trust solution” if you have not done the critical foundation work of asset inventory and patching hygiene. If you get your inventory and patch lifecycle in top shape, your journey to Zero Trust is much easier to build on top.

Taking on a complex roadmap to Zero Trust without addressing the fundamental security principles will amplify the technical debt and reduce your ROI down the road.

Melissa Bischoping
Director of Endpoint Security Research at Tanium

 

“I don’t think we’re going to get to a zero trust architecture, 100% for a while.”

Many of our corporations depend on legacy systems. It’s about appropriately putting the safeguards in place for those.

 Shawn Bowen
VP, of Information Security (CISO) at World Fuel Services

 

For more of the latest ANZ tech market research, benchmarking data, and executive interviews, get them delivered to your inbox fortnightly.

Contributors
Melissa Bischoping Endpoint Security Research Specialist at Tanium
Melissa Bischoping is a passionate security evangelist whose academic & professional background in human psychology and technology align to educate, advocate, and... More

Melissa Bischoping is a passionate security evangelist whose academic & professional background in human psychology and technology align to educate, advocate, and remediate the difficult security problems faced by businesses and individuals.

She currently works as an Endpoint Security Research Specialist at Tanium where she analyzes emerging threats, zero-days, and CVEs to provide subject matter expertise for internal and external customers. Prior to Tanium, she held positions in operations and security across the hospitality, casino gaming, and industrial/manufacturing industries.

Less
Chase Cunningham Chief Security Officer at Ericom Software
I am retired Navy Chief Cryptologist with more than 20 years experience in Cyber Forensic and Analytic Operations and I offer deep... More

I am retired Navy Chief Cryptologist with more than 20 years experience in Cyber Forensic and Analytic Operations and I offer deep technical expertise, advanced education, various certifications and operational experience in this field.

I have an intricate and real world know how gained directly from the realm of cyber operations and forensic analysis. I gained my operations experience by being “on pos” doing cyber forensics, analytics, and offensive and defensive cyber operations while functioning in highly technical and operationally demanding work centers within the NSA, CIA, FBI and other government agencies.

Less
John Roese Global Chief Technology Officer at Dell Technologies
John Roese is President and Chief Technology Officer of Products and Operations at Dell Technologies. In this role, John is responsible for... More

John Roese is President and Chief Technology Officer of Products and Operations at Dell Technologies. In this role, John is responsible for establishing the company’s future-looking technology strategy and fostering innovation to make sure Dell Technologies is at the forefront of the industry with ground-breaking technologies that anticipate customers’ needs across the portfolio.

John joined Dell EMC in the fall of 2012 and was instrumental in shaping Dell EMC’s technology strategy as the company embarked on new growth and leadership across three of the most transformative trends in the history of IT – Cloud, Big Data and Trusted IT.

Prior to joining Dell EMC, John was the CTO, GM, and leader of several technology companies including Nortel, Broadcom, Futurewei, Enterasys, and Cabletron systems. In addition to his roles as CTO, John has been a Chief Marketing Officer and Chief Information Officer in publicly traded companies.

John is a published author and holds more than 20 pending and granted patents in areas such as policy-based networking, location-based services, and security. John has been active in numerous boards, including ATIS, OLPC, Blade Networks, Pingtel, Bering Media, and the Cloud Foundry Foundation.

Less
Sri Shivananda EVP, CTO at PayPal
Sri Shivananda plays a critical role in shaping PayPal’s technology strategy in his role of Executive Vice President, Chief Technology Officer (CTO).... More

Sri Shivananda plays a critical role in shaping PayPal’s technology strategy in his role of Executive Vice President, Chief Technology Officer (CTO).

Sri has driven the transformation of PayPal’s large-scale infrastructure, platforms and applications. As Sri has led PayPal through this transformation, he’s ensured the PayPal platform can grow and integrate with emerging technologies, preparing PayPal for a future of financial services that will increasingly rely on algorithms and anticipating customer needs.

In his role, Sri also oversees Technology Platforms & Experiences, leading a talented team responsible for the company’s secure, reliable, scalable and evolving global infrastructure and strategic core platform, the foundation that enables PayPal to deliver world-class services for PayPal’s consumers and merchants.

Prior to his appointment as EVP and CTO, Sri was CTO and Senior Vice President of Global Platforms and Infrastructure, directing his team of technologists to drive massive growth at scale across a completely disruptive payments platform. Sri was responsible for all core technologies covering PayPal’s data centers, internal private cloud, online and offline data infrastructure, internal developer frameworks and tools, and various platform services.

Before PayPal, Sri was with eBay for more than 15 years, working his way up from a software engineer to Vice President of Global Platform and Infrastructure. As VP, he was responsible for the company’s technology infrastructure that powered the eBay Inc. businesses, including eBay’s hundreds of millions of listings and PayPal’s millions of payments every day. Sri found his way to eBay via the acquisition of Deja.com.

Sri’s passion for technology is echoed by the emphasis he places on supporting his talent. A geek at heart, he is widely recognized as a hands-on executive with a passion for innovation. He is a leader in building high performing teams, mission-driven in his approach of nurturing high potential talent and a champion for women in technology. In addition, Sri serves on the board of F5 networks.

Less
Imtiaz Khan CISO at Roads and Maritime Services
Imtiaz has over ten years’ experience with creating vision, strategy & execution at Tier-1 Financial institutions and large organizations. Prior to joining... More

Imtiaz has over ten years’ experience with creating vision, strategy & execution at Tier-1 Financial institutions and large organizations.

Prior to joining Roads and Maritime Services, Imtiaz was part of security leadership team at Emirates NBD group. Emirates NBD is Dubai’s largest bank & one of the largest multi-national banks in the region.

Imtiaz also held several senior roles at Commonwealth Bank of Australia leading large security portfolios.

Less
Shawn Bowen Global Head of IT Security & Compliance (CISO) at Restaurant Brands International (USA)
RBI is the parent company to Burger King, Popeyes, and Tim Hortons. Shawn is responsible for establishing the strategic direction, instituting comprehensive... More

RBI is the parent company to Burger King, Popeyes, and Tim Hortons. Shawn is responsible for establishing the strategic direction, instituting comprehensive programs, and leading the Global IT Security and Compliance for Corporate, Supply Chain, Restaurant, and Consumer Technology along with building a thorough consumer privacy framework across the parent company and three iconic brands. He will join us for a live video interview and Q&A.

Less
Security Compliance