Transcription
Zero TrustA revolutionary approach to Cyberor just another buzz word?2021
Zero Trust Revolutionary approach to Cyber or just another buzz word?Despite the recent marketing hype, theconcept of Zero Trust is not new – in fact,academics have spent the last 20 yearsdebating the advantages and challenges of asecurity model that is based on the principle ofnever trusting and always verifying. It’s onlybeen in the last few years that the technologyhas started to catch up, making this oncetheoretical model a reality and generating lotsof excitement, with vendors bringing newproducts to market with big claims andgame-changing promises.Through this document, we will look beyondthe hype and break down what Zero Trust is,the business drivers behind it and the benefitsit can bring. We will also explore approaches toZero Trust, what the journey feels like andshare some common pitfalls and challengesalong the way. 2021. For information contact Deloitte LLP2
Zero Trust Revolutionary approach to Cyber or just another buzz word?Why Zero Trust?The drivers and trends putting Zero Trust on the agendaIn recent years, Zero Trust has become somewhat of a buzz word within industry circles, with lots of attentionplaced on how this innovative approach to cyber security can help organisations to defend against the newgeneration of attackers – who are better networked, more organised and who have access to tools that only afew years ago were the preserve of nation state actors.However, there are a broader set of business drivers and demands, which are pushing Zero Trust onto thecorporate agenda and highlight the need for greater speed and adaptability in how organisations approachcyber security, as they seek to survive and thrive in an increasingly digital world.What is driving the move to Zero Trust?The rapid pace of digitalisation isincreasing IT complexity and drivingup costAdversaries are becoming moresophisticated and are outmatchingcurrent cyber defencesThe development of digital products andservices is being constrained by rigidcyber security controlsThe shift to the Cloud is demanding a newapproach to securing critical businessdataAn increasingly mobile workforce nowexpect to be able to work from anywhere,on any deviceThe demand for better and easierbusiness collaboration requires a moreagile approach to securityThe cost of compliance is rising due tooverlapping and rigid controls, and morestrenuous requirementsThe proliferation of Shadow IT isincreasingly hard to contain withoutdamaging business agilitySecurely managing Mergers andAcquisitions is increasingly complex, timeconsuming, and costlyIncreasingly complex vendor landscapesand supply chains require a more efficientapproach to securityUnderstanding your drivers to embarking on a Zero Trust journey will help shape thepath you take 2021. For information contact Deloitte LLP
Zero Trust Revolutionary approach to Cyber or just another buzz word?Introducing Zero TrustWhat does it really mean?Zero Trust is a framework for looking at Cyber Security in a new way. Based on the fundamental principle of“never trust, always verify”, Zero Trust moves away from the traditional perimeter-based concept of managingsecurity, to one where trust is established between individual resources and consumers, as and when needed.Trust is determined based on a combination of internal and external factors and is constantly revalidated.Zero Trust releases the shackles from IT, enabling businesses to strip away cumbersome and expensive securitycontrols, and build a more dynamic, efficient and customer-orientated technology platform. Much more than justtechnology. It is a frameworkthat integrates a range ofadaptive and next-generationcapabilities An out of the boxtechnology solution Transformative. Re-imagininghow you manage cyber andunleashing it, to better align tothe way you do businessZero Trust is a new way of thinking about security based on the principles of “never trust,always verify” – aligning the way you do security to the way you do business 2021. For information contact Deloitte LLP
Zero Trust Revolutionary approach to Cyber or just another buzz word?Key ConceptsHow does it work?Supportive ntity(Directory,IDP)ThreatIntelligencePolicy ngTrustConsuming oudXIT/OT/IoTDevicesProviding EntitiesData ?DevicesPolicy EnforcementOT/IoTDynamic Session AccessApplicationsAll communications, regardless of location, are treated from the same starting point ofhaving no inherent trust. Trust is established by a dynamic policy, informed by a range ofsignals – from behavioural analytics to threat intelligence - and is constantly revalidated 2021. For information contact Deloitte LLP
Zero Trust Revolutionary approach to Cyber or just another buzz word?Benefits of Zero TrustShould we believe the hype?There is a lot of excitement around Zero Trust with big claims made by vendors about the benefits that it canbring – but should we believe the hype? While it is certainly not a silver bullet, Zero Trust can unlock a range ofopportunities for organisations by better aligning security to how they do business, reducing risk, improvingagility and driving down operating costs – however these benefits are hard won and require support andcommitment from across the organisation to truly be realised.The benefits of Zero TrustEnabling the modern workplaceSupporting the ‘new normal’ and enabling employee productivity, by reducing friction andproviding secure and flexible accessSupporting digital products and servicesUsing Zero Trust principles to securely develop digital products and services andenable the transition to Industry 4.0 – creating a head start against competitorsReducing and managing riskEnhancing the ability to detect and respond to threats in real time and reducingthe blast zone of attacks by restricting lateral movementSustainably reducing costReducing security costs by minimising IT complexity through automating, simplifyingand standardising the way we do cyberEnhancing business agilityEnabling faster and secure innovation, greater business agility, and easier and more efficientintegration with partners and third partiesWhile Zero Trust can help unlock a range of benefits, to truly realise its potential youneed to approach it methodically, with a clear line of sight to how Zero Trust will deliverthese benefits for your organisation 2021. For information contact Deloitte LLP
Zero Trust Revolutionary approach to Cyber or just another buzz word?Zero Trust functional architectureTaking a look under the bonnetDeloitte’s Zero Trust functional architecture is aligned to NIST’s Zero Trust Architecture standards (SP 800-207)and is designed to provide an end-to-end view of the key components and how they interact in a Zero Trustenvironment.Zero Trust functional architectureAdaptive Cyber(Organisational Design and Change, Cybersecurity Training and Awareness)Architecture and Governance(Vision, Strategy, Roadmap, Enterprise and Solution Architecture, Standards and Principles)Consuming entities(Anywhere, anytime)Providing entities(Anything, anytime)Network(Transport and Session Underlay)Policy Management and IntegrationPolicy Decision Point (PDP)Policy Engine (PE)Identity InformationIdentityIdentity(User, Device and Application, tionResource-basedpoliciesThreat Intel.and Security LogsSessionpoliciesContinuousMonitoringEnterprise policies(Non-exhaustive)Contextual Data(Non exhaustive)WorkloadsPolicy AdministratorXXDevicesDataPolicy Enforcement Point (PEP)Operations(Detection and Response, Security and Event Monitoring, Security Orchestration)Deloitte’s Zero Trust functional architecture helps provide a target state for the end-toend Zero Trust vision 2021. For information contact Deloitte LLP
Zero Trust Revolutionary approach to Cyber or just another buzz word?Unlocking Zero Trust's potentialBuilding a successful Zero Trust programme and delivering business outcomesThe adoption of Zero Trust should be viewed as an organisation-wide journey, that is as much aboutrepositioning how we approach and manage cyber risk across the organisation as it is about evolvingtechnology capabilities. At Deloitte, we use a framework which encompasses nine foundational domains whichhelp to shape the Zero Trust journey and deliver desired business outcomesArchitecture and GovernanceEnterprise architecture and contextual anddynamic security policies for the adoption ofZero TrustFrom: static, complex and reactivesecurity architectureTo: contextually-aware, simplerand dynamic enterprise securityarchitectureFrom: private network withenterprise-wide perimeterTo: use of public networks withresource/services perimeterFrom: disparate identity stores andpre-defined static accessTo: consolidated identity stores(e.g., Identity providers and Trustbased access)From: reactive, pre-defined metricmeasurement and manualresponseTo: predictive, monitoring andautomated responseFrom: pre-defined or accepteddevice trust levelTo: dynamically assessed devicetrust based on multiple criteriaFrom: static predetermined accessand an inherited trust modelTo: dynamic access based on healthand other criteria From: varied data type andsensitivity classificationTo: enterprise-wide classificationof data-based value and sensitivityFrom: siloed securitypolicy management and staticcontrolsTo: centralised security policymanagement and dynamic policyenforcementFrom: static cyber organisation,disconnected from the business,without clear ownership of cyberriskTo: shared accountability for cyberand continuous collaborationamongst teams to deliver businessgoalsNetworkPrivate networks retired and use of publicnetworks and micro-perimeter based legacyservices*IdentityConsolidated identity technologies andprocesses to enable adaptive accessOperationsPredictive and preventative security tooling andautomated processesDevicesReal-time assessed device trust level based ondevice health and additional criteriaWorkloadsContext-aware access using defined trust levelsto applications, secured with micro-perimetersDataTrust levels based on enterprise-wideclassification of dataPolicy Management and IntegrationCentralised security policy management anddynamic enforcement for resourcesAdaptive CyberDynamic security organisation closely aligned tobusiness priorities and continuously adapting tothe internal/external environmentsZero Trust programmes involve much more than just technology and require theintegration of a broad set of capabilities to realise its full potential 2021. For information contact Deloitte LLP* Click here to read Deloitte's point of view on the evolution of 'Enterprise Network Security Architecture'
Zero Trust Revolutionary approach to Cyber or just another buzz word?The journey to Zero TrustWhat does it feel like?The journey to Zero Trust is different for every organisation and will be shaped by your business priorities, thebenefits you are seeking and your ambition to change. This is what that journey may feel like:TraditionalWe have built components of ZeroTrust but didn’t know it. We arelagging behind the competition,with a flat, expensive and complexnetwork that is frustrating tonavigate and manage12FoundationsWe are seeing early improvementsto key tools and technologies. Weunderstand where we are going andhow we are going to get thereEssentials3It's easier to get things done. Newstaff and partners are quickly onboarded. Workplace feels moremodern and new tools are available4AdvancedWe are working as a truly cloud-firstcompany, collaborating and cocreating seamlessly and securelywith clients, partners and colleaguesOptimal5We have integrated to reach ZeroTrust and gained the full range ofbenefits, in our products and servicesand in seamless collaboration withinthe firm and with partnersYour organisation’s journey to Zero Trust will be different, depending on your drivers,the benefits you want to gain and your ambition to change 2021. For information contact Deloitte LLP
Zero Trust Revolutionary approach to Cyber or just another buzz word?Taking the first stepAdopting Zero Trust doesn’t mean starting afreshWhile Zero Trust can help organisations achieve transformational business change, the adoption of a Zero Trustframework does not necessarily entail a radical overhaul of your existing cyber capabilities. From ourexperience, most organisations already have some of the key building blocks and fundamental capabilitiesrequired to embark on a Zero Trust journey and realise some of the potential benefits.Zero Trust environments are primarily built through the integration and evolution of existing cyber capabilities,supplemented by the introduction of next generation technologies. With a clear line of sight to the benefitsthat are being sought, organisations must set clear architectural principles and roadmaps, which provide acommon Zero Trust blueprint from which capabilities can be built around.Zero Trust blueprints Moving to Zero Trust doesn’t mean throwing everything out and starting again. Zero Trustinvolves the evolution and integration of existing capabilities with next-generation technology 2021. For information contact Deloitte LLP
Zero Trust Revolutionary approach to Cyber or just another buzz word?What benefits does Zero Trust unlock?Unlocking benefits along the Zero Trust journeyAcross the Zero Trust journey, capabilities can be built and integrated to ‘unlock’ a series of benefits – fromdecreasing cyber risk and improving user experience to reducing IT costs and enabling better digitalcollaboration. With clarity on your business priorities, and leveraging our Zero Trust framework tool, Deloittecan support you in mapping the right path for your organisation, providing clear and measurable alignment todefined business outcomes.Example Zero Trust Roadmap1No significant benefits unlocked at the ‘Traditional’ (1) stage2StreamlinedauthenticationReduced blastradiusModern SOCLow friction userexperience3Optimised WANconnectivityImproved partnercollaborationInternet readyapplicationsIndustry 4.0cyber readyPasswordless userexperience4Modernised OTSecurityBring YourOwn DeviceSecure applicationaccessNetworkagnostic5Automated cyberdetection andresponseAdaptive cybersecurity functionKey: Zero Trust BenefitsEnabling themodern workplaceSupporting digitalproducts & services 2021. For information contact Deloitte LLPReducing andmanaging riskSustainablyreducing costEnhancingbusiness agilityCritical benefitunlocked
Zero Trust Revolutionary approach to Cyber or just another buzz word?Challenges in adopting Zero TrustExploring the common obstacles in implementing Zero TrustWhile every organisations’ journey to Zero Trust will be different and shaped by their business priorities, thereare often a common set of obstacles and pitfalls that will need to be navigated – some of these include:Embracing changeIntegrating legacyZero Trust must be supported by a dynamicand adaptive cyber organisation, whichembraces new ways of workingBespoke approaches are often required toenable legacy systems (IT & OT) to participatein Zero Trust environmentsHaving end-to-end visibilityIncomplete solutionZero Trust requires end-to-end visibility of whatyou have and how it is used in order to providethe basis for trustThere is no silver bullet for Zero Trust, with novendor providing an end-to-endsolutionBusiness collaborationDesigning for adaptabilityClose collaboration is required between Cyberand the rest of the organisation to ensureclarity of purpose and alignmentZero Trust is evolving rapidly. New capabilityarrives frequently – a Zero Trust programmemust be agile to keep paceMaking it all work togetherTaking the first stepThe lack of common Zero Trust standards leadsto integration challenges betweensolutionsEstablishing the right governance andunderstanding where to start is fundamentalto successAny Zero Trust journey will be faced with pitfalls and obstacles that will require support,investment and buy-in from across your organisation to successfully navigate 2021. For information contact Deloitte LLP
Zero Trust Revolutionary approach to Cyber or just another buzz word?Case studiesHow Deloitte is supporting organisations on their Zero Trust journeysTransport and Logistics CompanyMain drivers: Closer relationship with customer and digitalisation of value chainSituation:A global transport and logistics company is on a transformational journey to become the global leader in the industry. Aspart of this transformation, the organisation are modernising their legacy application portfolio and seeking to open it upto trading partners.Action:Deloitte is leading the delivery of this transformational programme. We’re currently working hand-in-hand with theclient to modernise legacy applications, implement new SaaS applications and perform the various integrations.Applications are being deployed on an API-centric, zero-trust, cloud-native architecture, which means that employees,trading partners and application APIs are able to securely connect and communicate via the public internet, without theneed for VPNs or private connections.Industrial ConglomerateMain drivers: Digital transformation, secure and protect customer critical IT and OT assetsSituation:An Industrial Conglomerate needed support in getting executive level buy-in and funding for a Zero Trust programme.Action:Deloitte worked closely with the client to understand their ambitions and drivers, and develop a compelling businesscase and vision for Zero Trust that was anchored to the business’ strategic priorities. Deloitte also developed a capabilityassessment model to assist the client with making the right decisions along their journey and provided a roadmap withprioritised initiatives to meet the benefits being sought by the programme.Global Aircraft Engine ManufacturerMain drivers: Easier M&A integration and ability to collaborate with third partiesSituation:A global aircraft engine manufacturer needed to create a new technology environment to accommodate a newlyacquired business. This challenge was compounded by requirements of flexibility and high availability.Action:Deloitte was responsible for delivering an end-to-end Zero Trust solution, from defining programme requirements andbuilding the conceptual architecture, through to the implementation. This highly-scalable Zero Trust solution enabledfrictionless collaboration with third parties, whilst achieving high availability and resilience requirements for this essentialbusiness function. 2021. For information contact Deloitte LLP
Zero Trust Revolutionary approach to Cyber or just another buzz word?Why Deloitte?Our experience and what sets us apartBreadth of our offeringWe see the Zero Trust big picture and understand the scale of change required – from networks andidentity, to changing the organisation itself to work in a more adaptive way. We understand the ‘why’of Zero Trust as well as the ‘how’.Depth of our experienceWe have in-depth experience in delivering and implementing the programme of change,with specialist skills across all nine domains of Zero Trust.Technology independenceOur independence ensures our credibility as a trusted advisor and enables us toprovide clients with unbiased advice on the pitfalls and challenges in implementingZero Trust, while still allowing us to bring the right technical skills to the table.Deloitte’s Zero Trust frameworkOur assessment and planning tool supports clients in choosing their Zero Trust journey,helping them to make the right decisions along the way and flex the programme toaccommodate any changes during delivery.Passionate PartnershipWe are passionate about partnering with clients on Zero Trust to work together to build innovativesolutions and tackle the big challenges head on. 2021. For information contact Deloitte LLP
Zero Trust Revolutionary approach to Cyber or just another buzz word?Contact usWil RockallMatt Holtwrockall@deloitte.co.ukmaholt@deloitte.itFadi MutlakSerdar Cabukfmutlak@deloitte.comscabuk@deloitte.dkKarthi PillayRichard e.co.ukLuís AbreuMarius von Spretilabreu@deloitte.ptmvonspreti@deloitte.de 2021. For information contact Deloitte LLP15
Zero Trust Revolutionary approach to cyber or just another buzz word?This publication has been written in general terms and we recommend that you obtainprofessional advice before acting or refraining from action on any of the contents of thispublication. Deloitte LLP accepts no liability for any loss occasioned to any person acting orrefraining from action as a result of any material in this publication.Deloitte LLP is a limited liability partnership registered in England and Wales withregistered number OC303675 and its registered office at 1 New Street Square, LondonEC4A 3HQ, United Kingdom.Deloitte LLP is the United Kingdom affiliate of Deloitte NSE LLP, a member firm of DeloitteTouche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”). DTTL andeach of its member firms are legally separate and independent entities. DTTL and DeloitteNSE LLP do not provide services to clients. Please see www.deloitte.com/about to learnmore about our global network of member firms. 2021 Deloitte LLP. All rights reserved. 2020. For information contact Deloitte LLP16
Zero Trust functional architecture Taking a look under the bonnet Deloitte [s Zero Trust functional architecture is aligned to NIST [s Zero Trust Architecture standards (SP 800-207) and is designed to provide an end-to-end view of the key components and how they interact in a Zero Trust environment. Operations
