- Region:
- Asia/Oceania
- Europe
- North/South America
- Other
- Industry:
- IT/Technology
- Solution Type:
- Zero Trust
ISACA Case Study: Building a Zero-Trust Architecture to Support an Enterprise
Introduction
Cimpress is a USD $2 billion global company specialising in “mass customisation,” meaning customisable Business-to-Business (B2B) and Business-to-Consumer (B2C) hard copy and digital print products. Cimpress was founded in 1994 with a focus on helping small businesses produce impressive-looking print products that would allow them to compete with larger, more well-resourced organisations. Over the years, embracing digital transformation, Cimpress evolved to offer web-based graphic design services and was one of the first companies to offer browser-based desktop publishing software and workflow automation software to customers. This evolution allowed the company to meet modern demands of businesses—large and small—with high-quality, low-cost advertising and marketing materials. In 1999, Cimpress rebranded as Vistaprint, but in 2011 formally changed its holdings name back to Cimpress and started building out and acquiring dozens of small businesses that would be part of the Cimpress brand but would be managed autonomously from both a business and technology perspective. Today, the company operates in more than 20 countries with more than 16,000 employees worldwide. From a technology perspective, each business subsidiary chooses and manages its own technology stack locally. However, Cimpress Security is the corporate-level technology organisation that provides support to all Cimpress Holdings’ businesses. Leading a team of 30 people globally, Iftach Ian Amit is the Chief Security Officer (CSO) at Cimpress. Amit is responsible for cybersecurity for the Cimpress brand, and he and his team (Cimpress Security) provide oversight, guidance and training for the individual businesses that exist under the Cimpress brand. Amit started at Cimpress in 2018, and one of the things that drew him to the company was the company’s willingness to embrace modernisation and its attitude toward cybersecurity. In particular, the security unit at Cimpress had already decided on a strategic move to a zero-trust architecture. Specifically, this meant the team had already devised a plan to update processes and technologies to accommodate a “never trust, always verify” approach, including checking every access request for valid authentication and authorisation, implementing least privilege access controls, reducing reliance on perimeter-based controls and instead focusing on authenticated/authorised access, and implementing segmentation and/or microsegmentation (figure 1).
When he joined, Amit helped implement zero-trust for Cimpress corporate and recommended zero-trust concepts to the subsidiary companies. The idea behind the strategy was to put Cimpress, as the parent company, in a position where it had tried and tested zero-trust concepts and products that adhere to a zero-trust design methodology so it could strongly recommend or request that each individual business adopt similar processes and/or technologies. The lead-by-example philosophy demonstrated (and continues to demonstrate today) to subsidiaries what the benefits are and how Cimpress Security can help (if required or necessary).
The Challenge
Cimpress’s zero-trust journey began several years ago, which puts the company on the leading edge of adoption. However, several challenges exist in achieving full zero-trust for the corporate entity and all its businesses. As noted, each individual company operates as its own independent business, and resident technology and business teams are free to select their own stack of technology to run their organisation as best befits them. This means that the independent businesses use disparate systems—everything from cloud providers to customer relationship management tools, marketing tools, finance tools and more—which, while it allows flexibility at the business level, introduces management complexity from a corporate standpoint. In addition, says Amit, each business unit has a different level of skill and maturity in regard to its use and command of technology and security. While Cimpress Security is the overarching technology and security organisation, as of today, there is no mandate for subsidiaries to implement any processes or technologies used or recommended by Cimpress. As the technology experts for the organisation, Cimpress Security does not maintain governance over the business units and the technology they use or purchase, but it is responsible for upleveling the knowledge and skills of the individual companies’ teams and helping to bring them in line with zero-trust security best practices. Because of this structure, Amit and team have had to develop a tailored architecture that can easily scale across Cimpress Security and be applied as a blueprint at each business unit. Since disparate technology is deployed and each unit has varying levels of capability, Cimpress Security was challenged to adopt a zero-trust architecture centered around the three Major Cloud Providers (GCP)—AWS, Azure and Google Cloud. This meant that all processes and technologies adopted had to be environment-agnostic and even work for on-premises, virtual and hybrid environments. As many of the businesses have already transformed and are largely cloud-reliant or cloud-native, the most pressing requirement for Cimpress Security in its zero-trust design was ubiquity and ease of use across cloud providers. While Cimpress Security provides guidance and support to the businesses, the team is not in charge of choosing individual technologies or deploying them. This means that any process or solution recommended by Cimpress Security should be flexible and user friendly enough to be deployed in any business or region. This, says Amit, is one of the main benefits of a zero-trust architecture. Further, because Cimpress businesses are spread across various geographies with different internal policies, cybersecurity and/or privacy requirements or regulations, and levels of maturity, Cimpress Security needs to continue to focus on a zero-trust approach that can apply to any environment yet maintain the highest level of security possible.
Solution
A zero-trust architecture is the perfect solution for highly complex, distributed, multi levels-of-maturity organisations because zero-trust is a design principle or framework rather than a defined technology stack or tool. This means that decisions by Cimpress Security that are rolled down to its business units must adhere to the principles of zero-trust (i.e., never trust, always verify; a mandate for least privilege; adaptive access controls; decisions made as close to the asset as is possible) but can be adapted and adaptive based on local choices or preferences.
AS MANY OF THE BUSINESSES HAVE ALREADY TRANSFORMED AND ARE LARGELY CLOUD-RELIANT OR CLOUD-NATIVE, THE MOST PRESSING REQUIREMENT FOR CIMPRESS SECURITY IN ITS ZERO-TRUST DESIGN WAS UBIQUITY AND EASE OF USE ACROSS CLOUD PROVIDERS.
At present, Cimpress does not mandate the implementation of zero-trust for any of its business units, but Amit says they are working toward a holistic directive in the future. This does not mean that Cimpress Security will in any way take over technology or security management for each business unit, but it does mean that Cimpress Security, as part of the parent company, will be able to ensure that each business unit has the highest level of security control implemented so that it can drive down cybersecurity risk for individual organisations, their partners and their customers. Nonetheless, today, Cimpress Security has a zero-trust architecture deployed for the parent company. The components of this strategy include the use of a leading zero-trust endpoint protection and authentication vendor across an 8,000-9,000 person user base; remote management for device provisioning and certification management, including a system manager who helps with secure connections to/from devices and trusted access; and Endpoint Detection and Response (EDR). Device-First Approach Cimpress Security chose a hybrid approach to zero-trust, considering the health of devices connecting into the network and each access request as primary security requirements. The team is also heavily reliant on metrics gained from Mobile Device Management (MDM) tools to analyse and triage issues and monitor user behaviour, setting baselines that allow them to quickly identify anomalies and events that require investigation. Cloud-Based Infrastructure Importantly, Cimpress corporate is an entirely cloud-based organisation; it does not run a corporate network, as is becoming more common for enterprises today. This makes the implementation of zero-trust less burdensome. While several business units beneath Cimpress corporate do currently manage some on-premises infrastructure, Cimpress Security is actively helping these businesses transform and phase out legacy architecture within the next two to three years, what Amit calls “SaaS-i-fying” each business. Phase 1 Again, though each business unit is, today, free to choose its own technology and processes, Amit says the Cimpress Security organisation has been successful in rolling out Multi-Factor Authentication (MFA) to every subsidiary. The move to MFA was what Amit considers “phase 1” of their zero-trust plan, and says this simple control makes it easier for his team to see and correlate data across devices and connections. Phase 2 The second phase of Cimpress’s zero-trust roll out will be to deploy a zero-trust-based authentication tool to broker authentication across all 16,000 employers, regardless of the business in which they work. This move to centralisation is less about gaining control over business units and more about focusing on incrementally improving the security posture for all (figure 2).
Another aspect of the Cimpress Security zero-trust strategy is education and awareness—not just for zero-trust security, but for security generally (as zero-trust more and more becomes “security,” meaning, zero-trust principles are the ground floor for modern-day security practices). As the expert organisation responsible for improving the technical knowledge and skills across holding companies, the Cimpress Security group has developed a formal training and awareness program, complete with security champions from other business areas. The security champions program has been in place for 18 months, and the technology team actively recruits developers, architects, IT staff and operations staff to help promote security throughout the parent company and its individual businesses. At its inception, the program was optional, but today Cimpress Security is beginning to mandate participation so that there is a corporatewide culture, awareness and understanding of the need for best-in-class cybersecurity practices.
Benefit
Already, Cimpress Security has seen vast improvements in its security posture from the deployment of a zero-trust architecture. It is tracking security improvement in reducing unauthorised or risky access requests from the individual businesses. Business Continuity The biggest benefit that Cimpress Security has been able to achieve, however, became apparent as the COVID-19 crisis hit across the globe. As the pandemic forced enterprises worldwide to shut their offices, many organisations struggled with business continuity—how to keep their employees connected, effective and efficient even though office-based employees were now all working remotely, using myriad device types, and working over various connection types and at potentially non-standard hours. Further, given that most employees had either taken home enterprise devices or were using personal devices for enterprise use, IT and security teams were challenged to ensure consistent connectivity and to decipher when or if a non-employee (e.g., another member of the household) was using the device for non-work purposes (which would increase cyber risk). Though many enterprises suffered through the first several weeks of managing 100 percent remote workforces, Amit says Cimpress experienced no trouble, no downtime and no disruption. Because the company had started on its zero-trust, cloud-based journey years ago, all employees were ready with secure connectivity and access after a short two-day trial of Work From Home (WFH). Amit says, “We were already there in terms of access and productivity, and able to hand over guidance to each of the business units because we had already tested the plan, already implemented zero-trust access controls, and knew it works. We basically had to ‘flip the switch.’”
CENTRALISED VISIBILITY AND MANAGEMENT ARE SIGNIFICANT RISK REDUCTION FACTORS, AND THE CIMPRESS ECOSYSTEM WILL SEE FURTHER IMPROVEMENT WHEN MORE BUSINESSES START USING CIMPRESS-SUPPLIED VENDOR TECHNOLOGY.
Seamless Transition From Office to Home Amit called the transition to WFH “more than seamless, more than easy.” Because they were not reliant on a specific geography or static controls to keep them up and running, the company experienced no slowdown, no need for additional capacity planning and no application access denials. Adaptive, access-based controls predicated on zero-trust and a cloud-based architecture significantly benefited both Cimpress corporate and its business units in terms of continuity. Employee Satisfaction and Productivity Another benefit, though less measurable, was the lack of stress and drain on IT and security teams during this transition. Organisations not prepared for the pandemic were working around the clock, under extreme high-pressure conditions. Because, as Amit said, Cimpress could “flip the switch” to remote work—as the business transformation had already occurred and was tested—employees did not feel added pressure from work during an already stressful and uncertain time.
Result
A zero-trust architecture enables Cimpress to be more flexible from a Bring Your Own Device (BYOD) perspective. Amit reports that users are happier and more productive. More concretely, though, Amit says that Cimpress Security is able to gain a better understanding of users’ environments for Cimpress corporate, and the places where zero trust authentication and device management have been deployed throughout the subsidiaries. For these cases, Cimpress Security can restrict access and mitigate risk, when necessary, and provide enhanced controls for corporate-controlled/managed devices with consistent EDR or device-helped security measures. Centralised visibility and management are significant risk reduction factors, and the Cimpress ecosystem will see further improvement when more businesses start using Cimpress-supplied vendor technology.
Security and IT Improvement Amit also notes that the Cimpress Security group’s ability to identify and contain suspicious events has gotten faster with every rollout of zero trust-based controls. He says that the group’s Mean Time To Detect (MTTD) has decreased every year—and can now be measured in hours—since the program was initiated (figure 3). The team has also noticed measurable decreases in the number of password reset requests by employees. “Once you implement zero trust with MFA,” says Amit, “you are less likely to run into situations where there are account resets and lockouts.” He said he has already extended password expiration policies (in line with the latest US National Institute of Standards and Technology [NIST] guidance), which results in less burden on IT and security teams managing bigger problems. From a support perspective, he has charted noticeable improvements in his team’s productivity and ability to meet customer (i.e., internal users’) needs. And, though it is too risky to dive into specifics publicly, Amit shares that the metrics they are collecting from penetration testing and red teaming are showing demonstrable improvement as a result of the implementation of zero trust. All the controls that fall under a zero-trust architecture—i.e., least privilege, continuous verification, environment agnostic adaptive policies—make exploiting systems more difficult for testers and, thus, real-life attackers. Amit says they are seeing the simulated adversary having to work harder, having to use more advanced tactics and techniques, and having to be more aggressive with every test they run. This is true for both testing and teaming by internal teams and third-party consultants hired to help Cimpress identify and address weaknesses.
Conclusion
Though Cimpress corporate is well on its way to a fully zero trust architecture, Amit expects additional implementations as industry capabilities advance and new capabilities emerge. As a tech-forward organisation that has readily embraced digital transformation, Amit sees the company leading the way in terms of adoption. He looks forward to assisting each of Cimpress’s businesses as they, too, “SaaS-i-fy” and adopt zero trust as their foundation and standard of cybersecurity excellence.
KATIE TEITLER
Is a senior analyst at TAG Cyber where she advises security vendors and end user organisations on strategy, portfolio management and market messaging. In previous roles, she managed, wrote, and published content for various research firms, a cybersecurity events company, and a security software vendor. Teitler is a co-author of Zero Trust Security for Dummies.