Zero Trust
WhY Zero Trust?
Changes in the way organisations engage with technology have moved data outside the protection of traditional security controls, in some cases rendering them powerless to protect. Sekuro’s Zero Trust Strategy allows organisations to address this by modernising their approach to security and allowing their business to digitally transform securely.
What is Zero Trust?
It’s more than that though, Zero Trust is a fundamentally modern approach to security that organisations need to take now in order to match the modern approach they’ve taken to technology, which has transformed their threat landscape significantly.
IBM reports that the average cost of a data breach was $4.35 million in 2022, increasing year on year, and showing no signs of slowing down. In addition, organisations have transformed their technology program with the rise of remote work, cloud migration, and SaaS applications and services to enable unparalleled productivity. During this process risk exposure has come as a side effect. Their security program is often not compatible with this new approach to technology and architecture and is trying to play catch up. In fact, according to Avast, 59% of IT leaders said it was difficult to keep up with securing employee devices while working remotely.
Organisations are finding that their existing perimeter-centric controls no longer work, or are major productivity dampeners. However, it’s not just remote workers. All businesses are now recognising that their data, critical business applications and infrastructure also now exist in multiple areas outside the four walls of their organisation. This leads to the need to protect data, networks, users, and devices outside and inside the perimeter equally.
What is the solution to allow our businesses to continue innovating, without the added risk? This is where Zero Trust is gaining strong traction. Zero Trust is a modern approach to security that can address the modern threat landscape whilst supporting an organisation’s digital transformation and without hindering innovation.
The benefits of Zero Trust
Address the Modern Threat Landscape
Today, companies are using modern environments, platforms and technologies to drive productivity through greater flexibility and agility. With this comes increased cyber risk. With these forward-thinking Zero Trust principles, Zero Trust methodology and Zero Trust architecture, your cyber security program can address the modern threat landscape.
Defence Outside the Perimeter
In the past, we placed far too much emphasis on perimeter security controls and treated our organisations like an isolated castle with strong walls around it. This legacy approach to security worked acceptably in the past but is now less effective, since our data, users, devices and systems are frequently not within the four walls of our organisation, often rendering our previous controls powerless. A modern, Zero Trust aligned strategy can ensure security follows the user, device, data, and other assets wherever they reside.
Defence Within the Perimeter
Although many assets now exist outside our perimeter, we must never forget our internal assets that still continue to exist. Years ago, we placed far too much trust inside our internal network due to the secure external perimeter and ‘limited access bridges’ for access into our castle. Now that more bridges exist than ever before, we must move away from assumed trust inside our internal network, as it leaves our organisation fully exposed once an asset is compromised. A Zero Trust Strategy can carefully segment access within your open network beyond just IP addresses and ports, severely limiting the blast radius of an incident.
Secure Digital Transformation
The majority of organisations are embarking on their digital transformation with the use of modern technologies (Cloud, SaaS, productivity applications, and more), but their cyber security program often isn’t ready for it. Contrary to common pitfalls of a cyber security uplift program, a properly designed and implemented Zero Trust strategy will allow the business to continue innovating securely, without stifling progress, and without compromising speed or usability.
Removing the fork between security and business enablement
Any elements of Zero Trust can be used to improve user experience and security simultaneously - a combination difficult to achieve in the past. With all the additional context Zero Trust provides, we can say “Yes” to the business more often, without the added risk. Zero Trust will allow your security program to go from the oppressor to the protector.
Lee's Zero Trust 'TL;DR'
How CBHS improved its cyber health with Sekuro's Zero Trust strategy
At CBHS, protecting members’ highly sensitive and confidential health insurance data is paramount. CBHS undertook a journey toward implementing a wide range of modern security controls and processes and realised there were opportunities for improvement.
“Some of the existing controls and processes either created a lot of overheads or had the effect of becoming a barrier to business productivity, for example, when we needed to do manual security reviews of cloud apps or desktop applications before they could be used by the business.” – Nathan Hunter, IT Security and Operations Manager, CBHS
CBHS wanted a framework that balanced a best class security strategy with the need to help staff feel enabled, rather than obstructed, and to do their jobs effectively.
Always striving to be progressive with technology and policy, Nathan Hunter and his team at CBHS felt a “Zero Trust” approach would streamline processes and controls to enable the business and improve the overall security posture.
Sekuro’s work with CBHS identified gaps in its existing security strategy. Sekuro implemented Zero Trust improvements to give CBHS better visibility of security threats and greater agility in achieving its business goals while remaining secure.
“Now, we have identified the technologies and processes that are going to enable us to adopt a Zero Trust strategy across our entire organisation,” Nathan Hunter commented on the Zero Trust work with Sekuro.
Sekuro's Zero Trust Framework
Sekuro’s unique approach to Zero Trust through its Zero Trust Strategy framework has been created 100% in-house to focus on the areas that give the greatest security benefits whilst being pragmatic and realistically achievable for all organisations. It was created by security professionals with decades of hands-on experience in cyber security engineering, architecture and executive leadership across both private and government sectors globally.
The strategy encompasses 8 key pillars across 3 maturity levels. Sekuro’s Zero Trust Strategy takes a holistic look at your organisation’s entire cyber security posture delivering a tailored strategy that’s clear, realistic, beneficial, and actionable.
What are the 8 Pillars of Sekuro's Zero Trust Strategy?
Sekuro strongly believes that Zero Trust is a concept that needs to be considered across an organisation’s entire technology, process, people and architecture landscape.
Sekuro has developed a Zero Trust Strategy which is focused across 8 key pillars for an exhaustive look at your organisation’s entire cyber security posture.
People
Create and foster a culture that creates threat awareness, resilience, and identification of risk in your people whilst continuously measuring its effectiveness.
Identities
Multi-step authentication and verification of users on an ongoing basis with automated, continuous provisioning and de-provisioning.
Endpoints
Protection of devices no matter the location, operating system, or user.
Networks
Segment and isolate networks to help protect valuable assets.
Infrastructure
Protect key infrastructure from data exfiltration, misconfiguration, unauthorised access, and modification.
Applications
Catalogue, risk assess, restrict access to and protect applications and APIs.
Data
End-to-end protection of data, covering areas such as data classification, labelling, restricted access, DLP, and end-to-end encryption.
Analytics
Real-time observation across all pillars to understand interactions, anomalies, and threat visibility.
A Human Perspective on Zero Trust
In this e-book, Customer CISO, Lee Roebig, and Field CTO, Jason Trampevski, look at the human elements an organisation must consider when building a modern cyber security strategy, how Zero Trust fits in and what actions organisations can begin taking today.
What are the ten principles of Zero Trust?
Zero Trust is largely a principles-based methodology that can stretch across many areas.
Sekuro’s Zero Trust Strategy uses these key principles when building Zero Trust cyber security programs for customers:
#1: Verify Through Context
#2: Per-Session Least Privilege
#3: Assume Breach
#4: Secure Anywhere
#5: Continual Analysis
#6: Cloud Ready, Modernised Security
#7: Continual Assurance
#8: Attack Surface Reduction
#9: Automation/Orchestration
#10: Identity-Driven Access
Sekuro's Zero Trust Process
Additional Workshops
EXECUTIVE STAKEHOLDER ENGAGEMENT
Sekuro can help assist with executive engagement by creating a Zero Trust Strategy executive briefing presentation and (co)presenting to your executive team.
TECHNICAL STAKEHOLDER ENGAGEMENT
Zero Trust can be a major change that will require assistance, buy-in, and input from an organisation’s wider technical teams. Sekuro can hold a specialised session deep dive on Zero Trust principles, concepts, diagrams, and benefits with your wider technical teams to assist in gaining buy-in and cooperation, as well as answering any questions or concerns.
ZERO TRUST STRATEGY & ARCHITECTURE CONSULTING
Sekuro can help your organisation execute the multi-year roadmap after the handover has occurred by offering Zero Trust consulting services available in flexibly priced/sized packages.
A STRATEGY TAILORED FOR ANY ORGANISATION
Sekuro understands that not every organisation has the capability or need to aim for highly strict cyber security controls in their environment, and therefore we have developed three maturity levels to allow all organisations to align with a Zero Trust target state that can be tailored to their needs.
Level 1 – Maturing:
The organisation has the fundamental capabilities/technology in the respective pillar to set the baselines for a Zero Trust environment with room for additional effort to realise the value of their technologies and gain additional protection.
Level 2 – Pragmatic:
The organisation has implemented pragmatic Zero Trust cyber security controls in the respective pillar, prioritising controls that give strong protection while balancing costs/effort/resourcing requirements and focusing on reduction of high risks.
Level 3 – Advanced:
The organisation has implemented advanced Zero Trust cyber security controls in the respective pillar with a strong focus on protection, monitoring, automation, orchestration, and reduction of all levels of risk.
Lorna Jane 'steps up' to a Zero Trust approach with Sekuro
Lorna Jane was looking for a trusted security partner to take it on a journey to becoming a highly secure retail organisation.
Lorna Jane’s IT team needed to focus on securing against breaches while online selling and operations boomed during the COVID-19 pandemic. Harbouring fears of data breaches and dealing with a very young, casual workforce with little understanding of compliance or cyber security, Lorna Jane engaged Sekuro to provide a Zero Trust security framework.
Sekuro ensured that Lorna Jane’s cyber security policies and compliance aligned with a Zero Trust strategy. Sekuro also engaged with Lorna Jane’s existing technology providers to create an integrated ‘Alliance’ as a core cyber security stack.
- Lorna Jane now has SSO across 300 external applications.
- The ‘Alliance’ technology stack works in harmony to block around 50,000 malicious emails daily.
Read more from the Lorna Jane Zero Trust Case Study.