In the world of Cybersecurity, there is no shortage of
techno jargon related terms. In fact, I
would say that 2021 was probably one of the years in which this exploded, and
it even came to the point where somebody even published an article on the most
beaten up and over used Cybersecurity terms.
Well, in today’s blog, I am about to bring you one of those
over used terms.
It is called the “Zero Trust Framework”, and this is a
subject area in which I have written a good amount in, not just for this blog
site, but in articles I have written for clients. Generally put, the idea behind this is that
you are implementing multiple layers of authentication mechanisms across your business.
But it goes one extreme:
Absolutely nobody is to be trusted, not even those employees that have been
with for the longest time.
The problem is that the Zero Trust Framework has been
brought out more as an out of the box product.
It really is not. But what it is
a framework, or even a concept, that lets you increase your levels of security,
depending upon the exact needs of your security requirements.
I have to confess as well; I may even have brought this out
as a product that can be deployed.
So the goal of this blog is to hopefully get rid of the line
of thinking that it is a product, but rather, it is an abstract way of thinking
that you can mold to fortify the lines of defenses. How can this be done? Here are some tips:
1)
Make into a mindset way of thinking:
Many IT Security teams do a very
good job of explaining walls of defense, what has been divided and not in the IT
and Network Infrastructure of your business.
They will mention about all of the security mechanisms that they have
deployed, and how each layer works. But
it is important to keep in mind here that they are talking in a micro way of
thinking. The Zero Trust Framework requires that you (the CISO) and your IT
Security team take a holistic, or macro view of how these tools and
technologies should be deployed. So in other words, rather than taking a siloed
approach, go to a whiteboard and draw your IT and Network Infrastructure, then
from there put in what is divided and what is not. That will give you a much clearer idea of
what is going on. Better yet, use a diagram-based
tool like Visio that will let you create this, that way you can put in the updates
as they evolve without having to redraw the entire thing again.
2)
Authentication never ends:
The thinking in Corporate America
today is still that the authentication and/or verification process is a one and
done deal. Meaning, once your employee’s
identity has been confirmed, that’s enough.
But the truth is, is still not enough. Although it may sound like a pain in the butt
and totally inconvenient, your employee must be thoroughly authenticated for each
and every piece shared resource that they want to gain access to, 24 X 7 X
365. The key here is that each and every
employee has to be treated this way, not just a select few.
3)
Give out only what is needed:
With the dawn and what it seems
like the never ending COVID19 pandemic, the 99% Remote Workforce is now going
to be a reality for a long time to come, if not permanently. Because of this, many businesses are now moving
everything to a Cloud based provider like that of the AWS or Microsoft
Azure. The idea here is that all of your
digital assets can be accessed easier, and it will be in a safer type of environment,
which will be monitored on a real time basis.
In fact, bot of these Cloud providers offer a robust set of security
tools that you can start using in just a matter of minutes. One of the things that will be easier to
monitor is the kinds of privileges, rights, and permissions that your employees
have been assigned, and if there has been misconfigurations made to them,
whether it is intentional or not. In
this regard, you always want to keep making use of an old concept in
Cybersecurity: Establish the most minimal
access rights that an employee needs in order to get their job done. Then if they need more, the request should be
evaluated and then if it is needed, then it should be assigned. This is called the concept of “Lease Privilege”.
4)
Make sure that everything is an optimal state:
In today’s digital environment,
many if not most businesses are outsourcing some of their own processes to
third party vendors in an effort to get the job done quicker. While this many the case, keep in mind that somebody
else now has access to your PII datasets, and that exposes the risk factor even
more. Because of this, you have to now
take the assumption that there is always a security tool or technology that is
not running efficiently to protect your digital assets. Therefore, the Zero Trust Framework mandates
that you also have to assume that nothing you deploy is working properly, and
that they must constantly checked to make sure that they are running in the optimal
state that you have established. But keep
in mind there are many automated tools that can do this for you, especially
when it comes to using AI and ML. So, you don’t have to have an individual constantly
watching over your security tools and technologies all of the time. But what they need to be on the lookout for are
the legitimate alerts and warnings that come in, and act on those quickly.
5)
Build a baseline model:
The Zero Trust Framework is not a
one size fits all approach. Meaning,
what works for one company probably will not work for you. Therefore, you the CISO, and your IT Security
team, have to take careful inventory of all of your digital assets, and
categorize according to them according to their particular level of risk. This is where a comprehensive Risk Assessment
comes into play. Then from here, build
up the baseline profile of what you and your team think is a threat and not, and
accordingly, the appropriate alarms will then go off. But it is also important that this baseline profile
be updated on a regular basis, in order to take into account any situation changes
that may occur. Remember that creating this
takes both quantitative and qualitative factors into consideration, not just
one or the other. Again, using the tools
of AI and ML will be a huge boon here, as these tools can do all of this in
just a matter of few minutes.
My Thoughts On This:
As I have mentioned before, the Zero Trust Framework is
extreme, in that people you even trust the most now on a technical level cannot
be trusted. So now the question comes,
how do you approach this when dealing with your employees and management, especially
the C-Suite.
Some may take the view that they should never be told that you
are planning to deploy such a framework, in order to keep the level of friction
down.
But I take the stance that honesty is the best policy
here. Always be upfront with your policy
and the C-Suite. This will always foster
a better relationship in the end with everybody that is involved. No need to keep anything secret.
But instead of using the term “Zero Trust”, perhaps a better
phrasing would be “Zero Assumption”.
Just some food for thought.
No comments:
Post a Comment