Organizations need to work out how to apply the principle of zero-trust security to meet their specific requirements, according to a panel speaking at the DTX Cyber Security Mini Summit.
The concept of zero-trust has come into much sharper focus as a result of the shift to remote working during COVID-19, with the traditional approach of having a secure outer perimeter now largely redundant. Thomas Fischer, principal security consultant at FVT SecOps Consulting, noted: “This global pandemic has been a wake-up call for a lot of organizations on how they handle the ability to use systems away from the traditional model of the castle and moat structure – nobody is now stuck to a fixed terminal in a building.”
This has in turn meant that to some extent, organizations have lost control and visibility of their assets, and most crucially of all in the view of Fischer, of their data. “The critical asset is the data – it could be credit card information, intellectual property or source code – any of those things that actually makes your business run,” he said.
Organizational strategies for gaining control over access to data in this new environment is therefore crucial, and has generally centerd around the concept of zero-trust. Moderating the panel, Richard Archdeacon, advisory CISO at Duo Security, defined this as “looking at how you can be as confident as possible in identifying the access and reducing the perimeter down to that point of access so we know who you are, where you are and what you’re going to be doing.”
While there is growing understanding of this general principle, the panel acknowledged that there will be different interpretations as to how it will manifest within individual organizations. Alex Morgan, customer support engineer at Duo Security, explained: “Most organizations will have a slightly different view of what zero-trust is or at least what it will mean to them in terms of how they would actually look at implementing it.”
Carefully planning the practical application of zero-trust architecture should therefore be the priority for organizations right now. This strategy needs to start with an “inside out view” according to Archdeacon. “What’s the data, how important is it, what are the risks and threats? Then put the controls around that before looking outwards towards the access,” he outlined.
Similarly, Fischer said that organizations have to define their boundary in a different way – not by an application or technology stack, but “around the data.” He added that boundaries could be very different depending on the type of business; for instance, in financial institutions, there is likely to be a number of boundaries, with only certain types of users allowed to access each one.
A major aspect that also needs to be considered now is the growing use of third parties which handle organizations’ data, such as contractors, and in particular the way they access this information. “It’s no longer just users that need to access the information,” observed Fischer.
In the view of Morgan, good internal communication is the key to gaining these insights and delivering an effective zero-trust model. “That’s not necessarily just communication with end users, it’s between the security department and the different parts of the organization. Understanding how different parts of the business work and what their drivers are for getting their work done will really affect the success of implementing a lot of those security controls,” he explained.