Zero Trust Security and the Cloud

To secure information resources ten years ago a trust-verify model was typically the most widely deployed model. We operated with the assumption that if a user had an account and password and appeared to be on our local network, we let permissions secure the information. Later, if we had time, we would verify the user’s access and activity, but as you know, we never had time.

This part of a shift to the cloud doesn’t necessarily require retraining, only refocusing. This frequently becomes a battle between CISO and CIO, security and IT. The new approach using a verify-trust model comes with some expense and management overhead, and frequently interrupts productivity. Organizations are completely removing functionality rather than mitigating risk, and understandably so at the recent, rapid rate of change.

However, our common enemy, the hacker/evil doer/bad guy, is constantly looking for, finding and exploiting any weakness they can. That is well-worn, Sun Tzu rationale we all know, but what should we be doing to defend against it today? Or, should we be attacking?

With our resources we can defend all points-of-entry by attacking incoming requests with policies that span data locations, users, devices, and apps before any access is allowed to information. This is verify-trust. The battleground still exists, it’s just evolving. We can accomplish this protection quickly, in a few phases, even if we can’t do it immediately.

Force Verification by policy:

• Identity – using Multi-factor authentication (MFA)
• Location – using Conditional Access (CA)
• Device – using Device Management (MDM)
• Device health - MDM
• App – using Application Management (MAM)

Limit Access by policy:

• Time – Just-in-time (JIT) access
• Privileges – Just-enough-access (JEA)
• Sensitivity classification – Information protection (AIP)
• Retention – retention policy based on signals
• Data encryption - AIP

I might even extend this model to verify-trust-verify by using aggregated reporting, SIEM tools, sign-in data visualization and risk-based reporting to ensure against advanced persistent threats (APT). The amount of data continues to be overwhelming and it’s no longer a spreadsheet that a technologist can manipulate and locate/expose data easily. Let the machines rise and do it for you!

Finally, don’t neglect the change management. If users are not informed, they will as always, seek an easier path to accomplish their work, subverting your efforts. Make sure everyone understands not only what the philosophy change is but why it’s happening. A well informed user is an extra barrier protecting your data.