3 minute read
Get IT Done - Zero Trust
get IT done
Zero Trust — by André Godfrey
Security is important. But security is especially important in a work world where so many of us are connected remotely to our networks, and the cyber criminals, who are bent on gaining access to your data and files, are working , non-stop, every day, every hour and every minute. You would think they’d get a real job!
In the earlier days of cyber security, our efforts generally mirrored physical security. Got a door? Get a lock. Got a window? Get some bars. Got intruders? Get intrusion detection. Need to stop them before they get in? Get a firewall.
The bad news it isn’t working well enough. We have firewalls and passwords and multiple other measures, and we are still woefully behind the international cybercriminal juggernaut. We need a sheriff. Luckily, there is a new sheriff in town and the name is Zero Trust.
The new sheriff brings new rules. Rule #1. Trust no one. Any time there is a request of the network, this sheriff works on the assumption that there has been a breach. It questions everyone and everything. All the time. Reminds me of my dad.
Here are the guiding principles of Zero Trust per a Microsoft White Paper: 1) Verify explicitly. Always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies. 2) Use least privileges access. Limit user access with Just-In-
Time and Just-Enough-Access, risk-based adaptive policies, and data protection to protect both data and productivity. 3) Assume breach. Minimize blast radius for breaches and prevent lateral movement by segmenting access by network, user, devices, and application awareness. Verify all sessions are encrypted end to end. Use analytics to get visibility, drivethreat detection, and improve defenses.
Phew. See what I mean? But it makes sense doesn’t it? If we assume that every transaction has evil intent and act from that parameter our chances of stopping the barbarians at the gate go up considerably. I’ll remind myself that we need more than ‘considerably’, we need 100% containment and perhaps this is the only way to get there. Has your business been asked to verify its security practices as a third-party vendor? More and more enterprises are requiring not only liability insurance but cyber-insurance as the price or entry to receive RFPs. Along with cyber insurance they want to see your cyber security policies and your methodology for mitigating risk. These practices will be a barrier to some and a positive differentiator for others.
Here are some minimal considerations: Schedule a security audit. With remote users your exposure goes up considerably. Is their wi-fi secure? Is their anti-virus software and firewall up to date? Here’s something no one asks. Are there bad actors potentially in the household? Two-factor authentication becomes a must. Also keep in mind that remote worker households have no uniformity. Are there other devices to consider that are non-company assets? A VPN (virtual private network) is almost a necessity in many remote worker situations.
Next, look at active threat monitoring. Active threat monitoring enables your audit team to have a continuous view into the activities employees are completing on the network. Micro segmentation of these activities is part of Zero Trust and key to determining future threats and weaknesses and reducing any potential damages. Once the audit is complete and remedies are taken, schedule the next audit. Security is not a one and done situation.
Ultimately, Zero Trust may be the way to go, but it is likely a phased approach that may require major organizational changes. So…
Think About IT
André Godfrey is President, Entré Computer Services, www.entrecs.com
get IT done OCTOBER 2020 The ROCHESTER ENGINEER |
