M+E Daily

CPS 2021: IBM Security Explains the A-Z of Zero Trust

Delivering security and protecting content is crucial in enabling media and entertainment organizations to thrive, build brand awareness and establish customer trust. But it’s difficult to achieve that in such highly collaborative, perimeter-less environments with shared ownership and control, where almost nobody can be implicitly trusted.

That is why a zero trust security approach is so important. It can be an incremental, iterative process to implement controls that verify and enforce security every step of the way, and it will help ensure that only the appropriate access to resources is granted to those users and entities that need it and when they need it, according to Alden Hutchison, partner at IBM Security.

His company is helping customers “transform their organizations” and they are “under a tremendous pressure to compete,” he said Dec. 16 at the Content Protection Summit (CPS) event, during the session “Adopting Zero Trust – What is it, What’s Working and What Isn’t.”

He kicked off the session by asking who in attendance was planning to implement zero trust projects and integrate them within the fabric of their organizations’ security programs. Only one person raised their hand.

“The first lesson in zero trust is don’t trust the guy on stage asking questions like that,” he joked.

His firm’s customers are “moving to more modern cloud solutions,” he told attendees. He added: “They’re expanding their partnerships. They’re collaborating with more people, which causes them to share their data more widely. So they’re no longer in this traditional castle and moat kind of defense system. They really need to modernize their approach to security. So, as they continue to share data [and] they continue to add users into their mix, it really creates a tremendous amount of challenge.”

That represents the challenge with the business, he noted.

“At the same time, the threat actors are getting more sophisticated,” he pointed out, explaining: “They’re transforming their business as well. They’re creating ransomware as a service. They’re partnering up with people and collaborating to attack. We see it with the success of ransomware over the past year. We see it with them targeting supply chain vendors, getting into the supply chain [and] now being able to target the downstream customers. And they keep getting more and more opportunities to grab a foothold in the organization with new major vulnerabilities that occur – just like the Log4j vulnerability that got disclosed” recently.

Criminals are also increasing the pace of their attacks. What only helps them is that it is a “very surface-rich attack target and you’ve got to defend it as an organization,” he said.

Why Zero Trust is Important

“We believe adopting a zero trust framework is important to do, regardless of which route you want to go,” Hutchison said.

His company tends to “center on the NIST standard just because it is widely adopted but we work with clients across many different frameworks and ideologies,” he noted.

Zero trust is “not a product – you can’t buy this thing off the shelf,” he stressed, explaining: “It’s going to require you to integrate several products to pull this off. It’s not an individual project. It is something that’s going to take a while to roll out. It’s going to be something you continue to do as an organization.”

He continued: “It’s a set of principles you need to align your program to. You need to continue to evaluate every new technology,” figure out “how it supports that zero trust set of principles and how… you continue to reduce your attack surface, [and] get smarter faster as you grow your program.”

Now, “conceptually, [it’s] super easy,” he said. “You’ve got to make sure it’s the right user coming into your environment. You’ve got to give them the right level of access, making sure that they only have the access they need to do the job they need to do, and give access to the right data.”

However, that said, “as any good security professional, you should be uber paranoid and assume all of those things are going to fail on you,” so you should be “continuously monitoring that process and looking for failure, looking for anomalies,” he pointed out.

Although it’s “simple in concept, there are a ton of details that go behind it and there’s a ton of things that you need to be capable of having in your program and having in your capabilities” and then it’s important to integrate those tools, which is “one of the struggles that a lot of the clients have,” he said.

That is because companies have created these platforms and “they operate in a silo and some of them may be very well configured on their own but they need to share data, they need to share context in order to orchestrate that zero trust framework effectively,” he explained.

Top Use Cases

The most common use cases that IBM’s clients are focused on are: reducing the risk of business disruption and ransomware (discovering risky user behavior in the process), preserving customer privacy, reducing the risk of insider threat, protecting the hybrid cloud, and securing the hybrid workforce, according to Hutchison.

To preserve customer privacy, it’s important to simplify and secure user onboarding, manage user preferences and consent, and enforce privacy regulation controls, according to IBM.

To reduce the risk of insider threat, it’s crucial to enforce least privilege access, discover risky user behavior and embed threat intelligence. Meanwhile, to protect the hybrid cloud, it’s important to manage and control all accesses, monitor cloud activity and configurations, and secure cloud native workloads. And to secure the hybrid workforce, it’s important to secure everybody’s personal and unmanaged devices, eliminate virtual private networks (VPNs), and provide experiences that are “passwordless,” according to the company.

Qualifying security risk into financial terms, meanwhile, helps validate which projects should be prioritize, according to Hutchison.

When all of that is done, it just time to execute, he said, pointing to four more steps: creating an agile zero trust “scrum” team; breaking work into “sprints;” showcasing some wins and gain momentum; and adjusting as necessary when the inevitable change comes.

To view the full presentation, click here.

To download the presentation, click here.

The Content Protection Summit was open to remote attendees worldwide using MESA’s recently introduced metaverse environment, the Rendez.Vu-powered MESAverse, an interactive 3D-world that allows for hybrid live and virtual events.

The event was produced by MESA, presented by IBM Security and Synamedia, sponsored by Convergent Risks, Richey May Technology Solutions, PacketFabric, archTIS, Code42, INTRUSION, NAGRA, StoneTurn and Vision Media.