While zero trust may be ill defined for some in the research community, the concept is helping to translate previously abstract or technical concepts about risk to a new audience, and spurring systemic transformation of security operations across companies in a way that other frameworks or guidance have failed to do.
One example of this is the way Dow Jones Chemical used the coronavirus pandemic as an excuse to fundamentally overhaul its security practices.
Like many large companies in the wake of the coronavirus pandemic, Dow Jones had to adapt to a “new reality” that meant more than simply re-architecting their networks to manage more remote users. It changed what was considered normal within that network, introducing more users overall, more mobile devices popping up on the network, and new cloud applications and IoT devices.
“What zero trust is helping us [to do] is manage the new environment, the new ecosystem we have to support now,” said Mauricio Guerra, Dow Jones Chemical's director of global information security in keynote at the RSA Conference May 18.
Not surprisingly, one of the first priorities Dow Jones focused on was providing employees secure access to the internet and company IT resources while they worked from home. That’s often where most companies start (and a fair amount end) their zero trust journey, but Guerra said they then established a new conditional access and authentication regime for users across the company. They replaced their telecommunications network and built a new software-defined wide area network to handle policy, security and networking functions. The manufacturing company will continue to rely heavily on connected devices, and are also developing security models to manage IoT device security.
While more and more C-Suite executives are embracing the idea, Guerra said these advocates need to go into “selling mode” internally to get similar buy in from their IT and security teams. While zero trust essentially draws from classic, fundamental cybersecurity principles around risk management, it’s a shift from how most corporate IT networks are defended today. That means time before the approach will replace that status quo with processes that treat every device, user and system on a network as if it could be turned against the business at any time.
“We need to convince, we need to engage our IT workforce that this is the way to work, because it’s completely different from what we used to do before, with firewalls that are either on or off,” said Guerra. “Now it’s different. We need to engage our IT workforce and train them to do something different.”