To combat the new risks associated with the current hybrid way of working, many cyber security executives and vendors have now discovered “Zero Trust”: This framework aims to enforce security in the IT environment while at the same time increasing the productivity of the entire company increase.
The way people work has changed dramatically in the last decade. Enterprise employees today work from anywhere, using devices and networks no longer directly under their control, to access corporate resources in the cloud. While this has greatly increased productivity, it has also made it much more difficult to protect businesses. Putting this into practice is not without its problems, however, as there is no single definition of zero trust.
Current security approach
One hears from some quarters that multi-factor authentication (MFA) should be sufficient, while other solutions go one step further and require "least-privileged access".
Broadly speaking, zero trust is the idea that any object, internal or external, must be periodically authenticated and evaluated before being granted access. When the majority of users, devices, applications and data are no longer within a given security perimeter, there can no longer be any firm assumption that a user or their device should be trusted.
Amid the complexities that come with the adoption of technologies like the cloud and working from anywhere, it's complicated for security authorities to figure out where to start - and that includes Zero Trust. But you should first think about what is important for your own company. Using an endpoint detection and response solution protects your data from endpoint risks. The same applies to cloud security: you protect your data in the cloud from risky or malicious access and attacks. In other words, to use Zero Trust efficiently, you should focus on all vectors in which your data is embedded.
data as a starting point
When most organizations first adopt Zero Trust, they try to focus on the way employees get their jobs done, such as requiring employees to use Virtual Private Networks (VPNs) with a second factor of authentication, when accessing company resources. In contrast, however, I believe that the focus should not be on what one should (not) do, but on the data.
Employees are constantly creating and editing data. Since the end goal of an attacker on corporate IT is to steal data, simply authenticating a user at the time of access is no longer sufficient. Instead, you need to focus on what types of data you own, how they're accessed, and how they're manipulated. It is also important to keep in mind the ever-changing risk levels of users and the devices they use.
set priorities
Data is everywhere. Employees create data every day, whether it's exchanging it via email, copying and pasting content into a messaging application, creating a new document, or downloading it to their smartphone. All of these activities create and manipulate data, and each has its own life cycle. It would be extremely tedious to keep track of the locations of all this data and how it is being handled.
The first step in implementing Zero Trust Security is to rank your data by sensitivity levels so you can prioritize which data needs extra protection. Zero Trust can be a never-ending process because you can apply it to anything. Instead of trying to create an enterprise-wide zero trust strategy for all data, focus on the most important applications that contain the most sensitive data.
data access
The next thing to look at is how data is shared across the organization and how it is accessed. Do employees mainly share data via the cloud? Or are documents and information sent via email or Slack?
Understanding how information moves across the organization is critical. If you don't first understand how data moves, you can't protect it effectively. For example, if a common folder in the company's cloud contains several subfolders, some of which are protected, this seems like a secure method. And that's it until someone shares the main folder with another workgroup and doesn't realize that doing so changes the access settings for the private subfolders. As a result, your private data is now accessible to a lot of people who shouldn't have access to it.
No off-the-shelf solution
Everyone has probably heard the phrase: "There's an app for that!". And in general that's true. There seems to be an app or software solution for every modern problem these days. On the other hand, you can see that this is not the case with Zero Trust. However, there are many vendors who want to sell their products as so-called "solutions" for implementing Zero Trust Data Security. But this pretend method just doesn't work.
In essence, Zero Trust is a mindset and philosophy, but should not be confused with a problem that can be solved by software. If you intend to adopt Zero Trust as a method for security in your organization, you need to understand how this approach works and how to reliably implement it across your organization.
The role of employees
The second part of implementing zero trust data is getting your employees on board. You can buy existing software and solutions and set rules, but if your employees don't understand what you're doing or why you should be using something, you're jeopardizing your progress and success and likely exposing your data to certain risks.
At the RSA 2022 conference, a colleague of mine conducted a survey and found that 80 percent of attendees still use a traditional spreadsheet to record and calculate their data. And according to a 2021 survey, only 22 percent of Microsoft Azure users use MFA. These numbers suggest that you should start with your employees right from the start. And you should explain to them the importance of data security and how to put it into practice on your own devices.
Zero Trust is not a product
One of the most important things to remember when implementing Zero Trust Security in your organization is that it is a philosophy, not a simple solution. Zero Trust isn't something you can casually install overnight. And it's not a ready-made piece of software that you can buy somewhere to solve all problems at once. Zero trust is more of a fundamental idea that needs to be implemented in the long term.
Before you invest in a one-size-fits-all solution that just doesn't work, it's important to get to know your existing data better and understand which particularly sensitive data needs to be prioritized and protected. It is also about how they should be handled in detail in order to then concentrate on the training and further education of his employees. “Zero Trust” sounds like a great idea, but implementing it only works if you understand that it's some kind of philosophy or framework that needs to be set up in stages and continuously improved – and not just one one-time, fixed solution.
More at Lookout.com
About Lookout Lookout co-founders John Hering, Kevin Mahaffey, and James Burgess came together in 2007 with the goal of protecting people from the security and privacy risks posed by an increasingly connected world. Even before smartphones were in everyone's pocket, they realized that mobility would have a profound impact on the way we work and live.
Matching articles on the topic