Refocus on Zero Trust Segmentation: Put ZTS First on Your Fiscal Planning Project List
It’s not only Cybersecurity Awareness Month, but it’s also the time when many organizations conduct their annual planning cycles.
What are you adding to your security project list for next year?
Many organizations’ journeys towards Zero Trust started with identity management projects. Then, in the last few years, they’ve focused on improving EDR and endpoint/remote access capabilities.
However, recent research by analyst firm Enterprise Strategy Group (ESG) revealed that Zero Trust Segmentation is an increasingly critical component of an overall Zero Trust strategy. In fact, 81% of surveyed security leaders believe Zero Trust Segmentation should be part of their core Zero Trust strategy.
Zero Trust Segmentation is the next logical project on your Zero Trust journey.
Watch Nathanael Iversen, Illumio's Chief Evangelist, as he explains why Zero Trust Segmentation is so effective in helping organizations achieve cyber resilience:
Here are three reasons why Zero Trust Segmentation deserves a top spot on your fiscal planning project list.
Reason #1: Zero Trust Segmentation offers radical risk reduction
User and identity projects established the foundation of Zero Trust: identity. Then, the rise of ransomware shifted focus to detection.
But now, most organizations on their Zero Trust journey are ready to again eliminate risks. The biggest opportunity for radical risk reduction and shrinkage of the operational network is closing unnecessary, high-risk, and commonly abused ports.
And the best way to accomplish this is by implementing Zero Trust Segmentation.
By ring-fencing high-value assets with Zero Trust Segmentation, there’s no question that most organizations could make a significant improvement in their security posture this year. According to ESG’s research, on average, organizations that have advanced their Zero Trust Segmentation implementations report being able to avert 5 cyber disasters annually.
Reason #2: Zero Trust Segmentation improves EDR deployments
A recent report from Bishop Fox found that networks protected by both Zero Trust Segmentation and endpoint detection and response (EDR) fared much better than either technology on its own.
Blue teams were able to find, isolate, and eliminate attackers four times faster when EDR and Zero Trust Segmentation were deployed versus EDR alone.
Attackers were also able to compromise drastically fewer hosts when Zero Trust Segmentation and EDR technology combined.
Reason #3: Zero Trust Segmentation delivers quick, powerful wins
Zero Trust Segmentation is a project that can deliver immediate results within the year – if not sooner.
Analyst firm ESG surveyed a range of Zero Trust Segmentation customers and found that organizations employing Zero Trust Segmentation saved 39 hours per week on average due to increased operational efficiencies.
This resulted in organizations’ ability to:
- Conduct an average of 14 additional digital and cloud transformation projects per year.
- Get a 68% faster mean time to recover from cyber incidents.
- Save $20.1 million USD in annual application downtime costs.
Zero Trust Segmentation provides a “rising tide” effect that will improve operations across security and infrastructure.
Zero Trust Segmentation: How it works
Zero Trust Segmentation applies the security principle of least-privilege access to segmentation across cloud systems, user devices, and datacenter assets.
Zero Trust Segmentation asserts that only communications between systems and devices that are required for business operations should be explicitly permitted – all else should be denied.
When applied to typical corporate environments, organizations significantly reduce the risk that unwanted connections will occur.
Traditional segmentation technologies like firewalls only apply segmentation policy at fixed network locations. Outside those locations, traffic is freely permitted.
Zero Trust Segmentation applies segmentation policy at the workload level without any network dependency. Most organizations can close 90 percent or more of the pathways currently open without affecting desired traffic.
Eliminating these unused, high-risk, or well-known and often-abused ports radically reduces the risk of compromise or breach spread.
By enforcing Zero Trust policies that deny access to all traffic not explicitly authorized by the organization, Zero Trust Segmentation prevents attackers from engaging in lateral movement — or the ability for attackers to spread throughout the network.
Ransomware or other malware might be able to breach a single endpoint device, but Zero Trust Segmentation stops attacks from moving across the network beyond that initial point of entry.
Where Zero Trust Segmentation fits in the tech stack
Zero Trust Segmentation is typically deployed with other technologies to create a complete Zero Trust architecture.
Leading Zero Trust frameworks from thought leaders like Forrester and Gartner describe least-privilege principles applied to identity, data access, and more.
It is common for Zero Trust Segmentation to be deployed alongside technologies like identity and access management, endpoint detection and response, and a whole industry of data permission and management products.
Identity products apply least-privilege principles to user accounts, EDR applies least privilege to what can run on endpoints and user devices, and Zero Trust Segmentation extends the principle of least privilege to the communication pathways themselves.
Taken together, a full Zero Trust architecture becomes possible.
Select ZTS vendors with extensive partnerships and integrations
Organizations typically deploy Zero Trust Segmentation into a rich ecosystem of IT and security products. Because of this, it’s important to select vendors with extensive partnerships and integrations across many industry segments.
You will find that leading vendors already have partnerships, integrations, and deployments with other companies you represent.
Illumio works with:
- CMDB vendors like ServiceNow and BMC
- Vulnerability scanners
- SIEM and SOAR platforms like Splunk and IBM Security QRadar
- Container, cloud, and OS vendors
- Oracle Exadata and IBM zSystems
- Single sign-on (SSO) and IAM solutions like Okta
And many more.
Within this ecosystem, Illumio takes in connection data, vulnerability information, and user and machine identity information. This data is used to make powerful application dependency maps to help you create Zero Trust Segmentation policies that deploy across endpoints, data center, cloud instances, physical infrastructure, and critical enterprise systems like Oracle Exadata and IBM zSystems environments.
Illumio’s Zero Trust Segmentation platform easily complements and extends your existing tech stacks.
The Illumio Zero Trust Segmentation (ZTS) Platform
The Illumio ZTS Platform stops breaches and ransomware from spreading across the hybrid attack surface. With Illumio ZTS, organizations can easily:
- Visualize all communication and traffic between workflows, devices, and the internet in one console.
- Automatically set granular segmentation policies to control unnecessary and unwanted communications.
- Isolates high-value assets and compromised systems to proactively or reactively stop the spread of a breach.
ZTS is proven to help organizations of all sizes, from Fortune 100 to small business, stop breaches and ransomware in minutes, save millions in application downtime, and accelerate digital transformation projects.
It's time to plan for implementing Zero Trust Segmentation
Zero Trust Segmentation applies the principles of least privilege and assume breach to network communications across the entire user and compute environments.
By eliminating attack surface, improving incident response and breach containment, and effectively addressing both cloud and user environments, Zero Trust Segmentation fits in the sweet spot between effort and reward.
Start the planning process for Zero Trust Segmentation this Cybersecurity Awareness Month. Build your organization’s security posture and stay resilient against cyberattacks.
Check back next week for our next Cybersecurity Awareness Month blog post. You’ll learn why and how to rethink and refocus your organization’s...