When Sport Integrity Australia (and its predecessor operations) transformed to run entirely in the cloud, it adopted a Zero Trust architecture “right across the environment”.
The project finished in December last year, coinciding with CIO and CSO Andrew Collins’ departure from the organisation.
But, as he told an Australian CISO Confluence event late last year, he barely mentioned Zero Trust at all to anyone at the organisation in the entire two years of the project’s existence.
“I’ve only just started after two years talking about Zero Trust, and the reason I did that is it’s largely irrelevant to people,” Collins said.
“They don’t need to know the ins and outs.
“From a user’s perspective - which was the focus of the conversation - they have multiple stages of login, and we pointed out that’s based on conditions which is defined by your login risk, defined by an AI at login and when you’re accessing any resource in the environment, so you may be asked to log in again if you’re accessing something of a more sensitive nature.
“Staff were happy with that conversation because they could understand why we were doing it. It wasn’t actually a security conversation, it was a privacy conversation.”
Collins said he only started talking about Zero Trust to put a name to what IT had spent the past couple of years implementing.
The story is somewhat symptomatic of discussions around Zero Trust. It means different things to different people, but it also means little to many of them.
“I like the term because it’s useful to get everybody on the same page, and I also hate the term because it’s vague,” said Neil MacDonald, a vice president, distinguished analyst and Gartner Fellow emeritus in Gartner Research.
“The phrase ‘Zero Trust’ is like the word ‘cloud’, [in that] I think it helps get everybody on the same page.
“It’s great to get the conversation started - but you then need more context in order to understand what the problem is and what the solution might be and how we can go about putting in specific projects with specific timeframes to adopt this mindset.
“You need more words around it for clarity.”
Defining Zero Trust
Zero Trust is often boiled down to ‘never trust, always verify’. “Regardless of your network location, a zero trust approach to cybersecurity will always respond with, ‘I have zero trust in you! I need to verify you first before I can trust you and grant access to the resource you want’,” writes the US National Institute of Standards and Technology (NIST).
MacDonald views Zero Trust as a security mindset.
“It’s a way of thinking that tries to eliminate implicit trust throughout IT infrastructure, and replace it with adaptive trust - explicitly calculated, just in time, just enough, adaptive trust,” he said.
“Then what organisations do is take this mindset and start to make it real, so they develop a Zero Trust strategy or a roadmap which [comprises] ... specific Zero Trust initiatives and projects.”
These projects typically run across areas such as Zero Trust Networking Access (ZTNA), describing remote access solutions; Zero Trust Data Protection for policy-based data access; or Zero Trust Network Segmentation to reduce the network attack surface.
“The additional words add clarity” to the umbrella term of ‘Zero Trust’, MacDonald notes.
For health insurer Bupa’s head of security platform Michael Kamar, Zero Trust is the embodiment of a decade of security technology and developments.
“It’s really just gaining traction in terms of industry speak and how it’s presented all the time, [but] it’s using existing technology companies might have or existing processes and taking a holistic view [across them],” Kamar told an FST Media security webinar.
This could feasibly span technology areas such as identity and access, remote access, network security and data security, where the organisation has existing systems and processes in place.
“You’re already doing some form of one of the Zero Trust pillars, be it network segregation, some sort of identity and access, single sign-on, whatever it is,” Kamar counsels.
“Work out the existing roadmap in that, and then come up with your broader Zero Trust strategy, linking all that [together].. in your roadmap.”
Zero Trust architectures have fresh momentum post-Covid, since they potentially offer organisations a way to secure access to corporate resources when staff are working remotely - from home or anywhere else they happen to be.
The idea is to ensure the “right people have the right level of access, to the right resources, in the right context, and that access is assessed continuously - all without adding friction for the user.”
Simplicity from an end user’s perspective is key.
“The whole concept of Zero Trust is about making it simple for users, so regardless of what device you’re using, regardless of where you’re located, you’ve got the security that you want, you can do your job, you can get access to the applications that you want,” ResMed’s director of information security Rassoul Ghaznavi Zadeh told the Australian CISO Confluence event.
User base embrace
In addition to Sport Integrity Australia, iTnews has uncovered active initiatives at the likes of Woodside Energy, NAB, Lendlease, Beach Energy, ResMed, the University of Queensland, Fire and Rescue NSW and Horizon Power.
Many additional large organisations are known to be in the space but would not confirm the presence of active projects for this report series.
Over the next few weeks, iTnews will explore some of these specific embraces of Zero Trust in more detail.
Horizon Power’s cyber and information security officer Dune Sookloll told a recent webinar that she believed “most organisations have moved to that Zero Trust approach where you no longer trust anyone within your network or who has access within your network.”
“The 2020 Verizon data breach report said that 80 percent of hacking related breaches involve compromised or weak credentials, and 29 percent of those breaches, regardless of the type of attack, involved the use of stolen credentials.
“It was critical for us to review the user identities within our organisation, both IT and OT [operational technology], and make sure that they are authenticated to a high degree of assurance, and also make sure that they only have access to the systems or services to help perform their jobs to an efficient and effective manner.”
The University of Queensland adopted some tenets of the Zero Trust philosophy as part of an ongoing security improvements program of work.
“As a principle to what we work to in terms of infrastructure and security, it's definitely the path we'll keep on traveling down,” information technology services (ITS) deputy director Dr David Stockdale said.
“It's all well and good for you to tell me you are [X], but we need to prove it and ensure we understand what you're doing, and that we we allow you to do the things that you need to do as effectively as possible and as quick as possible, but stop you from doing things you can't do it.”
“I think Zero Trust is a philosophy to which we will work to - and in all of our projects we think about it with Zero Trust in mind.”
ResMed’s Zadeh sees Zero Trust as “the new normal” for security professionals.
Collins goes further, describing it “as mandatory in the modern world.”
“If you look at Sport Integrity, we’re connected to partners all over the world,” he said.
“I’ve lost count of the number of partnerships that we have where we’re actively sharing information to basically operate, and that would be true of the vast majority of modern organisations.
“To me Zero Trust is mandatory around doing your best effort around securing that sort of environment.
“Anything else is probably negligent.”
Stay tuned to iTnews for the next installment in this series on Thursday August 19. Find other iTnews Insights articles here.