Speaking during the Infosecurity Online event Manja Kuchel, senior product marketing manager at SolarWinds, outlined the three key elements of an effective zero-trust approach to security within organizations.
The first is risk assessment, Kuchel said, which involves defining where your sensitive data is located and who should have access to what.
“This is something that no tool can do for you, because this is an internal ‘home work’ type of process,” she explained. “You really need to sit down and analyze your sensitive data; this can be done on a personal, identity or departmental level, depending on the size of the company or title structure.
“This should bring executive-level managers and IT administration together – this needs to be a cross-company approach.”
Once that has element is established, the next step in the zero-trust process focuses on risk management, explained Kuchel. This includes defining access rights, taking into account identities and profiles, the types of resources being accessed and levels of access privilege.
“There are various tools that can help here – but the aim is to manage your risk situation and look into what you can do to limit access rights and limit access to information.”
The third and final step centers around risk containment: detecting, monitoring and responding to incidents.
“You should detect unusual security events; whenever something is happening, a user plugging in a USB stick that is against company policy [for example], you and the user should be alerted. Administrators should then be able to respond to such actions or even block or allow those actions – so not only seeing it, but being able to prevent things from happening.”
This three-step zero-trust cycle is one that never really stops, Kuchel said, and “you should be assessing the risk once a year – that is really something that the organizations should be doing as a regular drill.
“Also, the management of risk should be regularly adjusted in order to ensure people only ever have the correct access rights, as they might change and it needs to be revisited.”
Risk containment is very continuous too, she added, so that should always be up and running.