Towards a Zero Trust philosophy: a break in continuity for application security

10 mars 2022 | ACTUALITÉS, Cigref in english, Communiqués, Publications du Cigref

Cigref has published a report on the work of its « Zero Trust » working group, led by Thierry Borgel, CIO of the ICADE group.

Zero Trust is a development of IT security principles and a philosophy that organisations will need to adopt to strengthen the security of their digital assets. This concept requires an in-depth transformation approach, and a multi-year deployment roadmap; it is therefore not a question of applying a single solution or a single good practice but of implementing a programme including multiple projects in several areas: infrastructure, network, security, applications, cloud, etc.

This thought pattern or state of mind describes an approach where equipment and users are considered untrustworthy until proven otherwise. Thus, the concept of Zero Trust is based on the belief that trust must be established and verified with rules: « Never assume, always verify, give minimal privilege, monitor and respond quickly ».

Ce rapport est également publié en français. Cliquez ici pour le consulter.

A favourable context for the emergence of the Zero Trust concept

The current context shows the limits of the traditional model of the fortified castle consisting in protecting the internal IS in a perimeter fashion (equivalent to ramparts and moats) – and promotes the emergence and development of the concept of Zero Trust. Among the contextual phenomena identified, we converged on the exponential increase in the cyber threat, the explosion of the IS associated with migration to the cloud, the mobility of employees and service providers, as well as technological developments and the increase in digital projects.

Today, most Cigref organisations are studying the concept, are beginning to understand it and are taking ownership of it. Some members are already « doing Zero Trust » without knowing it, but most are still only at the beginning of the process, and are seeking to identify the opportunities that they would have to integrate it into their security strategy and policy.

Zero Trust: « who accesses what, for what, how, and from where?

The participants of the Cigref working group formulated a global questioning to summarise all of the elements to be checked in the implementation of a Zero Trust project: « who accesses what, why, how, and from where? ». The « who » represents users and services, the « what » represents applications, whether in the cloud or not, the « why » concerns the reasons for the access, based on specified rules, the « how » refers to the network used, either the corporate network or, increasingly, the Internet network, and finally the « from where » refers to the user’s terminal equipment and its location, all of which must comply with the GDPR and other applicable regulations.

The working group has thus made it possible to understand that the subject is structural, complex, transversal, and part of the long term. As of today, in each of the projects under consideration, organisations can begin to integrate the principles of Zero Trust, regardless of whether around the workstation, user awareness, the identity repository, access techniques and the network. They must also question their ability to use the Internet as their majority corporate network and the impacts for their infrastructure and security model.

Zero Trust: a complement to good security practices

The Zero Trust model must be added to the good security practices to be implemented by all organisations. In a dedicated opinion on the subject, the ANSSI (French National Agency for the Security of Information Systems) recommends a certain vigilance in the deployment of solutions to avoid installation or configuration errors. With this approach, the intrinsic vulnerabilities of applications are indeed still problematic. Organisations therefore need to rely on applications that are secure by design and secure by operation.

To prepare for the future, this involves laying the foundations of the requirements for future networks now, notably 5G, identity and access management modes, in particular by anticipating passwordless approaches, and other possible organisational and technological breaks in the continuity of this philosophy.

Nomenclature des profils métiers du SI – version 2022

Le Cigref maintient, depuis 1991, une Nomenclature des profils métiers existant dans les Directions des Systèmes d’Information (DSI) des entreprises membres du Cigref. Cet outil ne présente pas ce que seront à l’avenir les métiers des SI mais ce qu’ils sont...

Vers une philosophie Zero Trust : une rupture dans la continuité pour la sécurité des applications

Le Cigref publie, sous forme de rapport, les travaux de son groupe de travail sur le thème « Zero Trust », piloté par Thierry BORGEL, DSI du groupe ICADE. Le Zero Trust est une évolution des principes de sécurité IT et une philosophie que les...

Strategies for migrating IT to cloud computing: a strategic adventure for enterprise

Cigref has published a report on the work of its working group on "Cloud migration strategies", led by Jean-Christophe Lalanne, EVP IT at Air France KLM, and Stéphane Rousseau, CIO at Eiffage. The migration paths to the cloud are multiple, with many starting and...