In 2019, Forrester reported that zero trust (ZT) would hit the mainstream in Europe. Security and risk professionals in international organisations with European operations need to understand how to apply zero trust.
Forrester has developed a zero-trust extended framework to guide chief information security officers (CISOs) with their zero-trust strategies.
Zero trust is a conceptual architectural model that uses microperimeters and microsegmentation to secure corporate networks. The approach increases data security through obfuscation techniques, limits the risks associated with excessive user privileges, and dramatically improves security detection and response through analytics and automation.
General Data Protection Regulation (GDPR) readiness means that firms today know more about their data: where it is, how it flows within and outside their organisations, and how data access is governed. And these insights provide a substantial head start on your zero-trust implementation.
But acceptability of technical security controls varies dramatically by country. Forrester recommends CISOs pay attention to the local European cultural and regulatory norms wherever they are planning to implement the zero-trust model. Map out the regulations and stakeholders involved and build a plan to deal with them.
Examples of implementation issues when applying a zero-trust model
- DLP monitoring: France, Germany, Italy, Netherlands, Switzerland – strong resistance in workers’ councils countries
- PIM session monitoring: Central and Eastern Europe (CEE), France, Germany, Switzerland – resisted where seen as overbearing monitoring of employee activity and countries with aversions to surveillance given historical contexts
- Security analytics: France, Germany, Italy, Netherlands, Switzerland – resisted where seen as overbearing monitoring of employee activity and countries with aversions to surveillance given historical context
- User behaviour analytics: Germany, Switzerland, CEE, whole of European Union (EU)/European Economic Area (EEA) – resisted where seen as overbearing monitoring of employee activity and countries with aversions to surveillance given historical contexts
- Privacy regulations and data security: whole of EU – strengthened due to introduction of the General Data Protection Regulation.
- Cryptographic key management: transfers out of EU/EEA to third countries with restrictions – seen when exporting encrypted data outside of EU/EEA to countries with requirements to issue cryptographic keys at government request.
For instance, countries with employee-led corporate governance resist employee monitoring. Standards of corporate governance in countries like France, Germany and the Netherlands emphasise employee participation. Workers’ councils enjoy substantial authority to challenge management and protect employee interests, and they heavily restrict monitoring of employee actions and systems use. Thus, security leaders need to exercise care in monitoring employee actions when using security user behavioural analytics (Suba), data loss prevention (DLP), or privileged identity management (PIM).
You’ll need to prove to the workers’ councils that your plans don’t degrade employee rights or intrude into employees’ actions.As one supplier executive put it: “It used to be that we just didn’t sell any DLP in Germany full stop. The conversation now starts with, ‘How can we do it safely?’ rather than an outright denial.”
CISOs can take advantage of this shift to a more sophisticated understanding of the intersection of security controls and privacy laws. Your own efforts to engage stakeholders need to show that you have listened to their concerns and that you have taken their views into consideration.
Plan for explicit review and stakeholder approval steps in your ZT road map as you develop your reference architecture. Develop a risk mitigation plan showing how you will mitigate any privacy or cultural concerns.
Data regulations and restrictions
The GDPR defines personal information broadly, hampering security monitoring. The GDPR considers such data points as dynamic IP address, device identifier and authentication credentials, that are commonly collected during monitoring, to be personally identifiable information (PII).
Implementing visibility controls in the ZT model becomes harder as a result, particularly when your analytics platform is deployed outside of the European Union (EU) or European Economic Area.
Be prepared to discuss your employee monitoring programme in the context of the overall security strategy with your data protection officer (DPO), workers’ councils and data protection regulators. Be clear on what you’re collecting, why it’s necessary and how you’ll safeguard employees’ privacy.
Forrester recommends that CISOs review international data transfers and cryptographic key management.
If you need to transfer personally identifiable information of EU residents to a non-EU country (such as the UK after Brexit), you’ll likely need to implement additional frameworks such as model contract clauses or binding corporate rules.
Or if you’re transferring data to the US, you’ll need to comply with Privacy Shield. Be very clear about the locations where data is stored or processed, and work with your privacy and legal teams to determine the most appropriate measures. Also prepare to face the required disclosure to governments of even encrypted data.
For example, the Chinese Counter Terrorism Law requires firms to hand encryption keys to local authorities if they request them for decrypting information.
Where data is anonymised, the security visibility needed for zero trust is reduced. Data anonymisation can mitigate some data protection concerns, but according to the GDPR, only completely anonymous data is not personal in nature.
Data is pseudonymised in most cases, meaning it’s possible to re-identify individuals. However, the application of data anonymisation techniques complicates ZT visibility by making it harder to identify the sensitivity or criticality of data in its anonymised form.
Colin McMillan, technical director for security at Cisco, says: “Data anonymisation has been used by some European customers to deal with data sovereignty issues. But when implementing ZT, they still want visibility. Customers have implemented technical solutions in non-standard ways to get around this, making maintenance and support challenging for everyone involved.”
Non-security executives think that zero trust is just a network security architecture. Network security decision-makers have driven zero-trust adoption in Europe thus far, with little discussion above the CISO level.
This could be a result of the high proportion (42%) of senior-most enterprise security decision-makers reporting into the CIO in Europe. Forrester recommends CISOs must emphasise the many elements of Forrester’s zero-trust extended framework that reach beyond the network.
If CISOs don’t elevate zero trust, their implementation efforts won’t achieve their business and security goals. n