Companies that employ “zero trust”  an approach to security that relies on continuously verifying the trustworthiness of every device, user, and application in an enterprise — had a smoother transition to working from home than those that didn’t, according to a study by Enterprise Strategy Group (ESG), an IT analyst, research, validation, and strategy firm. 

According to the study, released in April, 45% of organizations who were more mature in their zero trust strategies adjusted better to telework as compared to 8% of those that were less mature. 

“We have many applications in the cloud, and we manage many devices especially in IoT (Internet of Things). Zero trust helps us manage this new environment and protect Dow’s information,” said Mauricio Guerra, chief information security officer of plastics manufacturer Dow Chemical Company, at IBM’s Think Conference 2021, a two-day virtual conference that ran May 11–12. 

With their users, data, and resources spread around the world, companies have to prioritize securing potentially sensitive or confidential data at every layer of the organization.  

At the same conference, IBM Systems senior vice-president Tom Rosamilia said that there are three core principles to the zero-trust approach: least privilege access; never trust, always verify; and assume breach.  

Open security, he added, is critical to the success of zero trust. Open-source software is code that is designed to be publicly accessible — anyone can see, modify, and distribute the code. IBM has been betting on open source for a long time, said Mr. Rosamilia, with its subsidiary Red Hat enabling community-driven innovation. Benefits of using open-source software, according to Red Hat, include lower cost, transparency (which reduces software bugs), and collaboration (which accelerates innovation). 

Mr. Rosamilia also warned against relying on a single provider. “Customers have key control [of their data],” he said. “It’s called keep your own key. Don’t entrust your data to anyone  not us, not anyone else.” 

Although zero trust offers improved security, it is not easy to put in place, according to a 2020 Forrester Research paper. It’s a gradual process requiring security teams to coordinate and understand the context behind all the connections occurring in the business: data, users, devices, applications, and workloads. Four tenets can be considered to be successful with zero trust, said the paper: 

  • Define context-organizations need to understand what users, data, and resources are connecting across the business to create coordinated security policies aligned with business goals 
  • Verify and enforce- organizations need to continuously verify that each and every connection is acceptable and trustworthy at that moment 
  • Resolve incidents- organizations need to always plan for anomalies such as new business situations or incidents stemming from unknown threats 
  • Analyze and improve- organizations need to realize that security is never “done” and continually improve their security posture by adjusting policies to make faster, more informed decisions 

“My advice would be to start by developing a growth map,” said Dow Chemical’s Mr. Guerra. “Where do you want to be? How will you get there? This will change over time, but you need a road map to make sure you’re heading in the right direction.” — Patricia B. Mirasol