Gordon Lawson is CEO of maskthat allows organizations to protect their privacy and security using dynamic obfuscation.
getty
As the digital age unfolds, the boundaries and boundaries between different systems and data are blurring. The relative security of internal networks has been replaced by a chaotic cybersecurity environment that makes it difficult to trust anyone or anything.
Enter, zero trust†As the name implies, the idea is to assume that systems and data are always at risk. By not trusting anyone, it is possible to better protect everything. While the concept is simple enough, running a zero-trust framework comes with many challenges and risks.
Zero trust is difficult because it requires an organization to walk a fine line between controls that are too strict that hinder the business and too lax controls that open the door to attacks and breaches. Moreover, a successful strategic framework revolves around many controls and components, from identity management and authentication to network access and data protection.
In addition, an organization must have strong policies and procedures in place to guide a zero-trust initiative and ensure it remains current. While there is a tendency to view zero trust as a marketing ploy –and there is clearly a hype attached to it– in my opinion, it seems on the way to becoming the de facto security standard. Consequently, those who avoid it do so at their own risk.
By the numbers
Designing and building a zero-trust framework starts with a critical acknowledgment: the perimeter is dead. Today’s highly interconnected world — connected by clouds, containers, APIs, and more — means there’s no way to place a guard at the palace entrance to prevent invaders from entering. Zero trust requires a completely different mindset and goes beyond just suppliers and technology.
Starting from the idea that everything could be hostile, it is possible to think broader and deeper about identities, permissions, users, applications and more. In a zero-trust world, it is unwise, even foolish, to downplay certain transactions or interactions, because the weakest chain in the security fence will be the entry point for malware or other types of attacks. No trust means that security controls are applied evenly and across the board.
Zero trust also demands a different way of thinking about internal and external threats. In an old-fashioned model, organizations focused on a wall and moat scenario for protection. Today, however, attackers plant ransomware in networks and once there, the malware suddenly poses an internal threat. As it makes its way through the network, it encrypts data and wreaks havoc. No outside control will stop it.
It is clear that this situation is a huge challenge for business and IT leaders, along with the system administrators who must deal with the consequences. In addition, the challenges are increasing as organizations increasingly work remotely and adopt more interconnected systems. Having the right policies, procedures and technologies in place is critical.
Implement Zero Trust
To be sure, a zero-trust framework is vital as organizations shift productivity to the edge and adopt multi-cloud environments. The first step is to fully understand the concept and what the death of the perimeter means.
First, reconsider the policies and procedures in the context of the business requirements. Difficult or unreasonable standards will motivate people to ignore safeguards to get their jobs done. Indeed, these policies and procedures must consider the way people work, the devices they use, and the way the organization uses systems, devices, and data.
Second, it is vital to focus on identity management and to use more secure authentication tools such as passwordless login and multi-factor authentication (MFA). Locking down systems is a critical aspect of zero trust. Within this category, it is necessary to use more advanced technologies such as biometrics and link identities to more sophisticated IAM (Identity and Access Management) systems.
Finally, there is the task of network access and data protection. This covers several areas including network segmentation, developing more contextual network access coupled with IAM and tools such as Active Directory and obfuscation of global network paths. But it also extends to wireless connectivity and areas such as encryption, VPNs, and the use of various software and tools methods to protect an organization’s presence and privacy through secure browsing and other forms of protection. It also includes backup and restore.
Best Practices
As organizations wade through a zero-trust initiative, there are a few important things to keep in mind. It’s important to recognize that clouds are an enabling technology, especially for smaller businesses on a tight budget. Many providers build zero-trust frameworks into their products and services, and zero-trust initiatives scale more easily across clouds, including servers in a remote data center.
Recognizing that zero trust is not a plug-and-play proposition is also critical. It requires understanding product capabilities that provide the best fit and, ultimately, training employees and contractors to avoid risky behaviors that undermine the effectiveness of all security tools.
Make no mistake, zero trust is here to stay and will play an increasingly central role in defining security frameworks in the coming months and years. Ultimately, I believe that zero trust is the right approach.
https://cafe-madrid.com/ Business Council is the leading growth and networking organization for entrepreneurs and leaders. Am I eligible?