Organizations face an average of 1,600 cyberattacks per week, and this digital threat continues to grow in scope and complexity. Cybercriminals are using increasingly sophisticated techniques, such as AI tools. As DDoS attacks, ransomware and data theft become more common, the cost of recovering from a cyber attack is also rising. With the introduction of the Cybersecurity Act (NIS2 Directive), organizations in critical industries are required to structurally improve their security. Traditional measures, such as firewalls and anti-malware, no longer suffice, but what then?

Where does a data breach actually come from? 

Research shows that nearly 49% of all data breaches are caused internally-often through privilege abuse or human error. The other half comes at the hands of malicious hackers. This highlights the need to approach cybersecurity at all levels: technology, processes and behavior.  

Security at all levels with Zero Trust  

Zero Trust means always checking and never just trusting. This principle helps minimize damage in the event of a cyberattack and forces organizations to have their security in order on all fronts.

Specifically, what does this mean?  

• Isolate applications and apply microsegmentation;
• Minimum privileges: Give users and systems access only to what is strictly necessary;  
• Continuous monitoring: Detect anomalies and unsafe configurations;
• Strong identity verification: Make sure you know who has access;  
• Automation: Eliminate manual infrastructure access and reduce human error.

Sounds logical? Sure. But in practice, lifting an existing IT environment fully to these standards is challenging.  

A new approach: the “flight to the front”

Implementing Zero Trust after the fact is complex and costly. In fact, many IT environments have grown over the years and are built with outdated best practices. Therefore, more and more organizations are opting for a ‘flight to the front’: setting up a new, secure IT environment (‘greenfield’) that immediately meets modern security requirements.  

Public cloud solutions offer the right tools and flexibility for this. Experience shows that this approach is less disruptive and ultimately saves costs.  

But, where do you start? A roadmap 

A successful Zero Trust approach requires a clear strategy and clear guidelines. Start with:  

1. Understanding and embracing Zero Trust: Organize workshops with architects and lay down the basic principles. This will become your guide when making infrastructure, application and security architecture decisions. Do not underestimate how important this step is and implementing and enforcing the principles. Weakening this in practice is like the string from the mailbox: times have changed.   
2. Establish Risk Control Framework: Determine what you are protecting (assets), why (risks) and how (measures). Consider not only technology, but also ownership and processes.
3. Network security at all levels: A firewall at the gate is not enough. Secure each network segment and application separately.  
4. Strict access control: Ensure administrators have access to production environments only in exceptional cases. Use MFA and conditional access control.  
5. Continuous monitoring and response: Prevent insecure code or configurations from entering production. Establish an incident-response process.  
6. Automation: Eliminate manual configurations. Ensure applications and infrastructure are deployed automatically and securely.  

An ongoing process

Security and compliance are not one-time actions, but an ongoing process. So how do you proceed?  

1. Make security part of the corporate culture. Technology alone is not enough, awareness and behavior play a big role.  
2. Automate the deployment of landing sites and applications. Make sure no one has to log into the landing sites to configure application issues.
3. Ensure that the controls, the measures from the control framework, are implemented to the extent that the DevOps/application teams are unburdened as much as possible by these guardrails.
4. Automate application robustness: use automatic recovery options (from code or by services).
5. Use stateless services and avoid (accessing) operating systems
6. Allow data to be accessed only by application services c.q. service accounts.
7. Protect and monitor code and pipelines
8. Avoid operating systems/IaaS and statefull compute
9. Prohibit secrets in code and text/config files.
10. Avoid shared services whenever possible: they are the gateway to many applications and their data
11. Audit/show what you have accomplished.

Include your people in the transition  

Being able to log into any server at once as one of many administrators to manually make the necessary fixes is user-friendly but very risky. This is evident from almost all reports of cyberattacks where hackers have penetrated. Changing this to completely automated environments where everything is set up, changed and managed from code is sensible, but also a huge change.   

There will be a change in the way you work. Keep that in mind. Make sure you include people in the change.

Get everything right at once  

Getting everything right at once in an existing situation is an illusion; it takes time. But doing nothing and thinking it won’t happen to you is also an illusion. Make the decision at the executive level that you are going to invest in zero trust and carry this decision forward. Analyze and decide what are impactful measures that can be taken quickly. Use compliance and security monitoring tools that are available for any budget.   

If you start using cloud services (or you already have) then you have an advantage: there is no history to straighten out and you achieve a manageable IT situation (much) faster. In many cases you can set a new standard in an existing cloud environment with new applications: that can also be a route. The standards and measures you apply to a cloud should automatically take effect in the on-premises environment as well.   

The measures to be taken are in themselves not rocket-science; it’s all doable. And public cloud providers also make it easy to do the right things. But it’s your responsibility to implement it consistently and at all levels, from component

Want to know how your organization can make the transition to Zero Trust? Please don’t hesitate to contact us. We’d love to think with you.