teissTalk host Jenny Radcliffe was joined by Kevin Fielder, Chief Information Security Officer, FNZ Group; Andrew Aken, Zero Trust Lead Technical Architect, Twitter; and Nick Sears, VP – SASE Solutions, Lookout.
Views on news
A draft memorandum by the Office of Management and Budget “seeks to build out the federal government’s underlying zero trust architecture in order to smooth the path for a coterie of recent cybersecurity related executive orders, initiatives and mandates. The new strategy delineates a clear attempt to centre the government’s cybersecurity away from the perimeter and towards an environment where software, hardware and people are regularly validated and verified.” Lookout has been selected by the National Institute of Standards and Technology (NIST) to collaborate on its Zero Trust architecture development efforts.
Zero Trust is another misnomer in cyber security standing for perimeterless or comprehensive security that, instead of assuming everything behind the corporate firewall is safe, is always in a state of preparedness for a breach and therefore verifies each request as though it originates from an open network. Nick believes that the Executive Order(EO) is a sign of a shift where Zero Trust, rather than being a marketing slogan, is becoming a viable strategy. Out of the 10 sections of the EO only one addresses technology which is an indicator of the important role processes and people play in it. Zero Trust has been pushed to the forefront of cybersecurity thinking by cloud migration reaching a critical mass, as well as the wide adoption of BYOD.
With these shifts having taken place, castle-and-moat type of defence can’t remain the modus operandi anymore. Forrester’s framework breaks down Zero Trust into seven different domains which all need to be considered in order to properly deploy zero-trust security across all technologies and corporate cultures.
Selling Zero Trust to staff and the Board
The idea of Zero Trust needs to be sold to both the board and staff. To get boards’ buy-in, the best way is to explain its benefits in terms of RoI and productivity. The board needs to fully understand that remote and hybrid work settings cannot be supported by legacy information security infrastructures relying on firewalls and fixed perimeters.
Passwordless access enabled by Zero Trust can also improve productivity significantly by cutting down on log-in times. Although Zero Trust and the approach built on the premise of “never trust but always verify!” treats everyone and everything as potentially malicious, it is just the underlying principle. In practice, Zero Trust is enabled by reams of data that we can collect and analyse about both users’ habits and the operation of devices (location, device’s and user’s risk level based on previous behaviours, amount of sensitive data shared, etc), which makes the detection of anomalies much more straightforward.
Zero Trust hasn’t been designed to prevail at the expense of user experience. On the contrary, it is meant to improve network and device security, as well as to make authentication and verification processes simpler. Zero Trust is a dynamic security model, and as long as no anomalies are detected, which is about 70-80 per cent of the cases, it simplifies the processes users need to follow.
Depending on their roles, guests had different approaches to ensuring that the security measures they helped put in place outlive them. The rule of thumb to measure the value you added to the organisation’s security is that the organisation is more secure when you leave than it was when you joined. Another way of keeping your legacy alive is follow up with the organisations that you worked for. When you are in the role, in addition to presenting your team with digestible short-term deliverables, you need to set some strategic goals too that your successor may want to subscribe to.
The panel’s advice
To set a foundation for Zero Trust , first your organisation should decide what security framework it aims to adhere to. Implementing SANS TOP 20 Controls is a great way to start the journey.
All organisations are at different levels of maturity; therefore, their starting points are different. Establish what your organisation’s major threats and top priorities are, then identify the technological solutions that you want to implement. Network access is a good place to start, which then can be extended to cloud security, where misconfigured containers are common vulnerabilities.
For Microsoft’s Zero Trust Maturity Model assessment, visit: https://www.microsoft.com/en-gb/security/business/zero-trust/maturity-model-assessment-tool?activetab=solution-wizard%3aprimaryr1