Towards a Zero Trust philosophy: a break in continuity for application security

10 mars 2022 | ACTUALITÉS, Cigref in english, Communiqués, Publications du Cigref

Cigref has published a report on the work of its « Zero Trust » working group, led by Thierry Borgel, CIO of the ICADE group.

Zero Trust is a development of IT security principles and a philosophy that organisations will need to adopt to strengthen the security of their digital assets. This concept requires an in-depth transformation approach, and a multi-year deployment roadmap; it is therefore not a question of applying a single solution or a single good practice but of implementing a programme including multiple projects in several areas: infrastructure, network, security, applications, cloud, etc.

This thought pattern or state of mind describes an approach where equipment and users are considered untrustworthy until proven otherwise. Thus, the concept of Zero Trust is based on the belief that trust must be established and verified with rules: « Never assume, always verify, give minimal privilege, monitor and respond quickly ».

Ce rapport est également publié en français. Cliquez ici pour le consulter.

A favourable context for the emergence of the Zero Trust concept

The current context shows the limits of the traditional model of the fortified castle consisting in protecting the internal IS in a perimeter fashion (equivalent to ramparts and moats) – and promotes the emergence and development of the concept of Zero Trust. Among the contextual phenomena identified, we converged on the exponential increase in the cyber threat, the explosion of the IS associated with migration to the cloud, the mobility of employees and service providers, as well as technological developments and the increase in digital projects.

Today, most Cigref organisations are studying the concept, are beginning to understand it and are taking ownership of it. Some members are already « doing Zero Trust » without knowing it, but most are still only at the beginning of the process, and are seeking to identify the opportunities that they would have to integrate it into their security strategy and policy.

Zero Trust: « who accesses what, for what, how, and from where?

The participants of the Cigref working group formulated a global questioning to summarise all of the elements to be checked in the implementation of a Zero Trust project: « who accesses what, why, how, and from where? ». The « who » represents users and services, the « what » represents applications, whether in the cloud or not, the « why » concerns the reasons for the access, based on specified rules, the « how » refers to the network used, either the corporate network or, increasingly, the Internet network, and finally the « from where » refers to the user’s terminal equipment and its location, all of which must comply with the GDPR and other applicable regulations.

The working group has thus made it possible to understand that the subject is structural, complex, transversal, and part of the long term. As of today, in each of the projects under consideration, organisations can begin to integrate the principles of Zero Trust, regardless of whether around the workstation, user awareness, the identity repository, access techniques and the network. They must also question their ability to use the Internet as their majority corporate network and the impacts for their infrastructure and security model.

Zero Trust: a complement to good security practices

The Zero Trust model must be added to the good security practices to be implemented by all organisations. In a dedicated opinion on the subject, the ANSSI (French National Agency for the Security of Information Systems) recommends a certain vigilance in the deployment of solutions to avoid installation or configuration errors. With this approach, the intrinsic vulnerabilities of applications are indeed still problematic. Organisations therefore need to rely on applications that are secure by design and secure by operation.

To prepare for the future, this involves laying the foundations of the requirements for future networks now, notably 5G, identity and access management modes, in particular by anticipating passwordless approaches, and other possible organisational and technological breaks in the continuity of this philosophy.

Migration dans le cloud : point d’étape

Après deux années de travaux sur la migration vers le cloud, de 2020 à 2022, le Cigref avait marqué une pause sur ce sujet. L'objectif de cette interruption était de permettre aux organisations de poursuivre leur programme de migration et de recueillir, l'année...

Rapport d’orientation stratégique 2024 du Cigref : « 5 ambitions : que faire d’ici 2040 ? »

A l’occasion de sa 54ème Assemblée générale, le Cigref a dévoilé l’édition 2024 de son Rapport d’orientation stratégique, « 5 ambitions : que faire d’ici 2040 ? ». « Nous avons pris un angle radicalement différent des précédentes années : nous nous sommes attachés à...

Nomenclature des profils métiers du SI – version 2024

Le Cigref maintient, depuis 1991, une Nomenclature des profils métiers existants dans les Directions du Numérique des entreprises membres du Cigref. Cet outil ne présente pas ce que « doivent » être ou ce que « seront » les métiers des SI mais ce qu’ils sont...

Assemblée générale 2024 du Cigref : « Pensez global ! »

Le 16 octobre 2024, le Cigref a organisé au Pavillon Gabriel sa 54ème Assemblée générale en mettant en lumière auprès de ses membres et de ses invités les dynamiques globales qui traversent le numérique et ses enjeux business. Une soirée animée par les interventions...