In this episode of the CIONET Trailblazer, we meet Jelle Schroven, Regional Director Belux at Zscaler. Together, we delve into how Zero Trust, traditionally a security framework, is evolving into a crucial enabler for business transformation. This discussion not only focuses on Zscaler's implementation but also on the broader application and impact of Zero Trust in the industry.
Zero Trust becomes a business enabler
Business success has never been as closely linked to IT as in these past few years of digital transformation. With users, applications and devices now located in distributed environments, Zero Trust has taken on a key role far beyond security. Providing visibility into all of an organisation's data streams is key and artificial intelligence (AI) helps to not only secure users and assets – it also serves as a sound foundation for business decisions.
Companies are constantly developing and moving forward. What role does Zero Trust play in this?
Zero Trust helps organisations to transform securely. One of the key elements of introducing a zero-trust architecture is to gain visibility and context across all data streams. When a security platform sits between the user and application access, it provides a lot of valuable information. Not only does it ensure connections are secure, but it also gives organisations insights into the quality of those connections and their application landscape. Hence organisations can leverage a wealth of additional data to gain visibility into any potential security issues – and as a basis for business decisions. For example, if you can see who and what has accessed a critical application, you can track who the authorised users or devices are, and you can question these access rights or take steps to improve the connectivity.
What are the security requirements your customers have today?
Businesses have realised that a transition strategy of simply updating their existing security solutions will no longer suffice. Instead, they are looking for help with holistically adapting their infrastructure to support their digital transformation. Because users are increasingly mobile and applications reside in hybrid cloud-based and data centre environments, you need a high-performance solution for securing data streams beyond the network: not only securing users but also workloads and device-to-device communication such as in IoT or OT environments. To increase resilience and reduce complexity, all stakeholders would prefer to see fewer providers involved when it comes to security.
How can organisations implement such a one-stop shop and what are the benefits?
The future of IT security will need to not only secure existing data flows in all directions but also continuously question and improve an organisation’s security posture. Artificial intelligence will help to analyse a wide range of data sources to provide recommendations on how risks can be actively mitigated. A holistic view of the threat landscape, and existing security policies and configurations all help to identify security gaps – such as overprivileged access permissions to sensitive applications and data.
For example, a highly integrated platform that evaluates data with the help of AI can deliver actionable recommendations through a single user interface. The time-consuming effort of manually correlating different point solutions then becomes a thing of the past. IT teams can achieve their goal of improving their organisation’s security much faster and with less effort, because tools not only have to be purchased, but they must also be used correctly.
How does Zero Trust contribute to better security?
The organisation’s attack surface is reduced both internally and externally through segmentation, following the principle of least privilege. Each user/device is only granted access to the resources they need. This concept is, of course, nothing new, but it has previously been very difficult to implement using conventional methods. However, even if you have segmented application access based on least privilege, it is still important to think one step further. How can you detect an attacker impersonating a verified user? Deception technologies help to uncover malicious activity within the IT environment.
What else should organisations consider when it comes to cloud environments? Are businesses too careless about security?
For the security of an organisation, it is vital to have insights into all data streams. Security teams can only detect hidden threats if they have the ability to monitor all communication channels. If there are gaps in monitoring, companies can be blind to malicious code. You have to consolidate not just the network but your entire infrastructure, including the cloud, under the protective umbrella of Zero Trust in order to enhance security. The cloud has enormous potential for making organisations more secure and even accelerating processes, for example, with regard to “Infrastructure as Code” as part of DevSecOps.
Can you explain to us how Zero Trust is also a business enabler and can deliver added value beyond security?
There are various things that do not matter anymore with Zero Trust, e.g. which device is used (whether it is company-owned or BYOD) or the question of connectivity. You can connect a location and its devices without adding a lot of infrastructure, via 5G for instance. When Zero Trust principles are applied in cloud deployments, organisations switch to a kind of turbo mode. Security and applications can be rolled out more quickly, and there are broader benefits to be had.
To add another example, take a company acquisition. Speed is of the essence when it comes to realising ROI. With Zero Trust, IT teams can give users authorised access to the other company's applications within days. The question then is whether you still need to completely integrate the acquired organisation, potentially eliminating the complex and risky task of merging entire networks – a task that tends to take several months. In this example, security and business requirements go hand in hand.
One final question: In your opinion, has AI become an integral part of security?
Organisations today must employ artificial intelligence to gain a speed advantage. We know only too well that attackers use these modern technologies, too – so businesses should evaluate solutions that enable them to react quickly and take preventative action. Modern security can no longer function without AI; it is the only way to automate processes and reduce the complexity of security infrastructures that have evolved over time. AI can play to its strengths in risk mitigation in particular.