 |
VOOZH | about |
|
VOOZH | about |
We’re so glad you’re here. You can expect all the best TNS content to arrive Monday through Friday to keep you on top of the news and at the top of your game.
Check your inbox for a confirmation email where you can adjust your preferences and even join additional groups.
Follow TNS on your favorite social media networks.
Become a TNS follower on LinkedIn.
Check out the latest featured and trending stories while you wait for your first TNS newsletter.
According to the Fortinet The State of Zero Trust Report, most organizations claim to either have zero trust access (ZTA) or zero trust network access (ZTNA) strategy either in place or in active deployment. However, most also report that they cannot consistently authenticate users or devices and struggle to monitor users after authentication. Additionally, many organizations also report that implementing zero trust across an extended network is difficult.
Here are four steps experts recommend for Zero Trust implementation.
Zero trust protection is it is not an all-encompassing architecture. The most successful implementations of zero trust implementation start small, focusing on critical assets with the highest risk profiles, and then leverage a discover, observe and control adoption philosophy, said Kate Kuehn, vArmour senior vice president. “This enables organizations to not have to in essence boil the ocean and try and adopt unilateral controls too quickly, but instead lock down their crown jewels and understand the relationships those assets have to address resilience planning in a phased approach.”
One of the biggest mistakes we see when implementing zero trust is insufficient investing in visibility, observability, and analytics across the organization, Kuehn added. “Without visibility, companies are limited and can’t quickly mobilize to identify or prevent threats to the entire enterprise. Zero Trust is here to stay; while it’s only the first step to dynamic, proactive security, it’s an essential foundation that every organization needs to modernize its security posture.”
The zero trust implementation model should include authenticating users, machine identities, or other components, ideally based on credentials as well as other factors like device identifier and location said Jacob Ansari, Schellman security advocate, and emerging cyber trends analyst. “It should also include clear ideas of authorization for what permissions that identity has. Further, authorization should make use of a careful definition of least privilege, which means that someone needs to carefully determine what identities should be able to do and not do.
Some of the easy wins involve securing remote access, Ansari added. While not zero trust, per se, using secure remote access with good multifactor authentication is an essential component of a functional zero trust model. Secondly, start looking at machine identities like service accounts or non-user principals for systems or cloud services or APIs.
Make sure someone knows what these identities do, what rights they should have, and how they authenticate. If any API endpoints or the like don’t require authentication or the tokens or other credentials have been exposed through public repositories, require stronger authentication. If service accounts require root user privileges, start the engineering efforts to change how those applications work, so that you no longer rely on risky elements like superuser privileges for service accounts.
To ensure success in zero trust implementation, an organization must have a comprehensive adoption strategy covering technology, processes, and people, according to Arun “Rak” Ramchandran, Hexaware global head, digital core transformation.
“Today, technology changes faster than humans can comprehend,” Ramchandran said. “For example, AI and machine learning (ML) have been on an evolutionary path to the point where artificial intelligence is evolving all by itself. AI advances effectively with zero human input.”
To assure that zero trust works in perpetuity, organizations must have periodic audits and recalibration to see how the zero trust environment needs to be updated, Ramchandran added. “There are always state-owned actors within a network who can compromise the network.”
The greatest threat to the system is people in two ways — those creating programs to compromise the zero trust network, and people becoming complacent about protecting it. Human complacency is enemy number one in assuring zero trust data protection.
On its way to beginning an industry-wide standard, zero trust is becoming more broadly adopted, said Yash Prakash, Saviynt’s chief strategy officer. Many security leaders and practitioners have focused their attention on deploying identity-based solutions and building identity-centric architectures. For zero trust implementation, organizations must incorporate three core policy components:
Zero trust networks enhance security by implementing most minor privilege access controls and eliminating the need for trusted insiders, explained Nicola Davolio, Hupry CEO. Every user and device must be verified and authenticated before being given access to any resource. This approach eliminates the reliance on perimeter defenses, which can be breached, and instead creates an internal security posture that is much more difficult to exploit.
This approach has many benefits, chief among them being that it helps prevent data breaches and limits the damage that can be done even if a breach does occur. Davolio added. Dramatically reducing the number of users who have unrestricted access to your systems and data makes it much harder for attackers to move later.
Implementing a zero trust architecture requires operational strategy, policies, products, and integrations to work in harmony, said Bryon Hundley, Retail & Hospitality ISAC vice president of intelligence operations. Each organization’s zero trust implementation process will be different, but typically will include the following steps:
“Zero trust summarizes the idea that no device, user, network, or other system or resource can act without authenticating its identity and can only perform actions for which it is authorized,” Ansari said. “The idea that it’s the internet-facing segment that faces all the risks and the interior of the organization is less prone to compromise or malicious activity has been discredited an organization’s network has had porous boundaries since users took their laptops home with them at the end of the day.
