NTT DATA’s Zero Trust Journey, Part Two: NTT DATA’s Zero Trust Architecture (and What We’ve Learned)
- December 14, 2021
Once we’d evaluated our own needs and strategy, and we’d gone through the arduous task of finding vendors who could meet those needs, our Zero Trust path got much smoother. Our journey started with the “new perimeter”— identity. We set out to ensure that the right users always have access to systems they need when they need it — while keeping everyone else out.
We started our Zero Trust journey with identity. We implemented robust Identity and Access Management (IAM), including IDM workflows, role mining/defining, single sign-on (SSO), and multi-factor authentication (MFA). We then leveraged identity data about systems and users from a diverse range of sources within our ecosystem. The data integrates with various endpoints to ensure only the right people gain access. The move is to use a risk-based approach to granting access. If an account has been compromised — or if a user is connecting from a non-corporate device — then the decision around access (and the level of assurance needed to grant access) should reflect the confidence we have that this is a trusted user and that the level of assurance increases as the perceived risk increases. This kind of architecture requires a well-integrated structure that enables sharing of information and orchestration of response. The strategy is to use conditional access and private access agents for users and endpoints. This creates an encrypted, end-to-end connection, mimicking a VPN-like “bubble” around our various digital properties and internal systems.
We extended internal servers and applications to our users via SASE Private Access, setting up our access restrictions such that only authorized endpoints could access systems and data. We use SASE tunnel ranges as well as security technology to ensure our endpoints are not only authorized NTT DATA devices, but they’re protected end-to-end by our SASE solution.
We did not, and still do not, provide our users with privileged access. We have adopted a catalog approach to installing applications, and our service desk uses a PAM solution to enable JIT (Just in Time) privilege access.
Endpoints and mobile devices
Our endpoints have their own identity and are managed, secured, and monitored via endpoint management solutions, OS (Operating System) and third-party application patch management, the SASE, as well as endpoint detection and response solutions.
Zero Trust isn’t simply about identity and access management from the perimeter: network security is still critical for providing defense in depth. To that end, we installed next-generation firewalls (NGFWs) to take advantage of device filtering, deep packet inspection, and other capabilities. And underpinning everything, of course, we continue to check our entire ecosystem. We make use of extensive vulnerability scanning to ensure all OS and application patches are installed and effective. Finally, all our security systems feed our SIEM (Security Information and Event Management) / UEBA solution to ensure real-time entity behavior analytics, anomalous activity identification, and automated workflows and case management to reduce time to respond.
What we’ve learned
As with any expedition of this scale, we’ve taken many lessons from our Zero Trust journey, many of which apply to any organization looking to follow our path.
There are some truly non-negotiable things with any Zero Trust program:
- Executive sponsorship and buy-in: To weather the inevitable pushback that will come from across the business units when moving to Zero Trust, the executive team must be aligned from the start. You can’t start any journey unless you know where you’re headed, and making sure your executive team agrees on that destination is critical.
- Hygienic Identity: To ensure you can accurately assess and assign each transaction, you need to have a known and trusted source of record.
- Well-integrated technologies: Zero Trust needs a deep tech stack of security and business solutions working together with one another to send and receive the necessary security signals across various control points.
- Clear communication with users: No matter how well-designed your Zero Trust roadmap is, your users will experience some changes. You need to ensure your people feel included and educated along the way and understand the reasons they are being asked to change behaviors. It’s not enough to simply tell them the “what,” you need to give them a meaningful “why” as well.
- An abstraction layer: You do not want to be forced into a single (and therefore limited) tech stack, so you need the ability to add/remove/augment vendors as your security and business needs evolve.
In our experience, in practical application, missing any one of these things will lead to failure — or at least a compromised architecture. Beyond these critical factors, there are several “wish list” items that will make the journey much more comfortable and increase your chances of success:
- Behavioral analytics: This will provide a more dynamic data set to support the decision-making process as you evaluate and evolve your program.
- DevOps/DevSecOps: Having a team dedicated to integration and user experience bug fixes that absolutely will occur during the process will lighten the load for everyone.
- Self-service capabilities: Some form of self-service dashboard to see what’s going on with your user experience and understand what blockers/limitations you are hitting is a major boon. This will help keep your help desk and service teams from being overwhelmed with support calls.
“Designing security based on the risk of an individual transaction, rather than on a giant and often incomplete context, just makes sense,” says Steve Williams, Enterprise CISO (Chief Information Security Officer) for NTT DATA Services. “Unfortunately, it has largely remained an intellectual exercise. Vendors are more than happy to throw ‘Zero Trust’ around as marketing jargon, but most solutions have effectively no real capabilities or ability to help you develop a true ZTA.”
It’s up to the security leaders of each organization to set up their own Zero Trust goals and needs, and to work with a provider that has experience in designing Zero Trust programs. Be honest and fearless in evaluating your own capabilities and those of prospective (and current) vendors. It’s not an easy journey, but it’s a trip well worth the effort. The world isn’t slowing down, nor is the evolution of the threats we all face. Zero Trust is not an end state: it’s just the next phase in doing everything we can to ensure our clients, our businesses, our users, and our critical data is as safe as it can possibly be.