author photo
By Bruce Sussman
Wed | Nov 27, 2019 | 7:15 AM PST

An avalanche of changing expectations.

That's the best way to describe what IT and security teams face as they deliver services to the business.

What started the push toward Zero Trust?

We'll let Asaf Lerner, Director at Thales, paint the picture of this massive IT landscape shift, which started us on the road toward today's least privilege and Zero Trust model. 

"In the 90s for example, users usually came to the office, logged into their machine once they were there, and they would have to work with whatever resources we gave them. The IT infrastructure was very, very simple," Lerner told the SecureWorld web conference audience.

"We had our on-prem servers, they were all different applications you set up in a tree like structure, and it was simple.

However, I would say about five years ago we were introduced to what I would like to refer to as Enterprise 2.0, which is completely different."

Completely different for end-users, for IT and security teams, for the customers of your organization, and for your vendors. 

"First of all, the users' side," says Lerner. "We now have users all across the world. We have users we don't even know they exist because we are, for example, outsourcing some of our work to different companies around the world. And they have outsourcing of their own, and those contractors may need access to our data. So we don't really know where our users are. And we don't know where our customers are."

And there are other major shifts IT and cybersecurity teams are facing:

  • Users have high expectations and want the B2C experience in their B2B applications. "The same experience as if they were shopping on Amazon, like a single click-to-buy," says Lerner.
  • To deliver on this and respond to CIO demands for greater efficiency, research shows the average company is using 21 different cloud apps. 

This creates several access management challenges. The perimeter no longer exists, legacy IAM products to protect the perimeter are no longer the answer, and security is losing access control in many cases. 

At the same time, 81% of breaches are linked to ID theft and the stealing of credentials. This makes sense as a majority of companies continue to use static passwords as the primary way of authentication and access management.

And that is a failed access management paradigm.


The avalanche of digital change has forever altered the landscape, but it can be tough to know how to proceed.

This is why Zero Trust is such a hot concept right now. It works, and works very well, when you account for the shifts we've discussed.

What are the benefits of a Zero Trust approach

Carlos Garcia, Sr. Principal Architect, Office of the CIO at Optum, presented next on the web conference.

He reminded us that today's "users" include humans, bots, processes, and code.

Then he took a rapid dive into the benefits of shifting to identity-centric security and Zero Trust.

"It allows you to do automating with precision while reducing risk, allows for authenticating with more factors and in a security context, increases monitoring, and increases responding when least privilege is inappropriately exceeded."


How do you approach Zero Trust governance?

Garcia then unpacked a six-step strategy to prepare for the implementation of Zero Trust within an organization.

  1. Formalize authoritative source(s) for identity life cycle, attributes, and serialization
  2. Develop a scalable and sustainable directory, attribute, and group structure and process
  3. Identify sensitive data location, access, and ownership
  4. Identify privileged accounts and entitlements
  5. Establish sources for identity context and risk
  6. Enhance security operations technology, training, and process with identity concepts/scope

Garcia then explained steps to implementation and shared some Zero Trust use cases.

There is much more detail in Why Authentication and Access Management Is the Foundation of Security in a Zero Trust World, which is available on-demand from the SecureWorld web conference portal.

Also, if you'd like to discuss Zero Trust in person with cybersecurity peers in your region, be sure to check out the 2020 SecureWorld conference calendar for North America.