Introducing Zero Trust
Earlier this year, US President Joe Biden signed the Executive Order (EO) on improving the nation’s cybersecurity to “identify, deter, protect, detect and respond” to increasingly sophisticated malicious cyber campaigns that threaten both the public and private sectors. A key part of this signed EO is the advancement and implementation of a zero-trust architecture.
the National Institute of Standards and Technology (NIST) defines zero trust as “a set of concepts and ideas designed to minimize uncertainty in enforcing accurate, least-privilege, per-demand access decisions in information systems and services in the face of a network considered compromised”.
In other words, do not entrust your organization’s assets to anyone until they have been verified. The problem is that most organizations are unable to accurately identify who has access to their networks and data, creating vulnerabilities that bad actors around the world take advantage of daily.
“Continued and consistent messaging coming from the executive branch is most certainly driving progress across the federal zero-trust landscape,” said Richard Bird, Chief Product Officer, SecZetta and Identity Board Member. Defined Security Alliance. Information Security Media Group (ISMG) in a recent GovInfoSecurity article.
“It took a series of executive orders to force federal agencies into the 21st century from a security perspective,” says Bird. “As President Biden said, ‘Incremental improvements won’t give us the security we need; instead, the federal government must make bold changes. Our government should have been bold on security a long time ago.
While few would object to more organizations implementing a zero trust approach, the EO was signed months ago and many questions remain about zero trust and how organizations can adopt it.
Why should my organization adopt a Zero Trust architecture?
Through his leadership roles within the Departments of Defense and Homeland Security, Mike Brown, United States Navy Rear Admiral (Retired) has gained expertise on cybersecurity and zero trust strategy of our country. During the recent SecZetta webinar, Easy preparation steps to adopt Zero TrustRear Admiral Brown explained exactly why every organization needs to embrace Zero Trust as a paradigm shift using a house analogy.
“You can’t just lock the front door. If you leave the windows open or the back door open, the bad guys can still get in,” says Brown, “we have to lock the windows, the back door, access to all rooms in the house and drawers or any area of storage.
For decades, organizations have only “secured the house”, a practice that must now be abandoned for never trust, always verify. According to Egress’ Insider Data Breach Survey 2021, 94% of organizations have been impacted by internal data breaches in the past year. We now know that securing the perimeter is not enough to prevent a breach. Each area of an organization should restrict access to only clearly identified and effectively managed users.
“It’s about understanding what’s on the network, who’s on the network, and what’s going on,” says Frank Briguglio, public sector strategist at the cloud identity security firm. Sail Point“And until we have a good understanding of that, we can’t make progress on cybersecurity.”
How is Zero Trust related to IAM and IGA tools?
According to the global research and consulting firm, Gartner“Identity Governance and Administration (IGA) tools help organizations control access risk, achieve and maintain compliance, and improve efficiency by managing user accounts and rights in infrastructure systems and applications.”
David Pignolet, CEO and founder of identity risk and non-employee lifecycle management software company SecZetta, explains that “identity authorities in an organization should be what drives this access. The what , the when and who of access are determined by identity authorities.
In most organizations, the only identity authority is a repurposed human resources system that should not be confused with a cybersecurity-centric identity management system rooted in zero trust. These systems were created to manage employee benefits and compensation, not the identities of non-employee third parties. He’s trying to put the proverbial square peg in a round hole.
Organizations can effectively manage employee and non-employee information with Identity and Access Management (IAM) systems, however, the lack of an authoritative non-employee identity source leaves gaps in the approaches zero trust.
“It doesn’t take into account all the context that we need to properly protect access behind this data,” says Pignolet, “it’s a mistake not to take that into account from the start, as well as the population of employees”.
By adopting a Zero Trust architecture, organizations must implement continuous monitoring and validation of each identity in its population and confirm that the identity has the appropriate access and privileges. It is the organization’s responsibility to be aware of all of its accounts and access to them, whether employee, non-employee, third party or non-human, regardless of the organization’s direct control or authority. geographical location of the account.
Easy preparation steps to adopt Zero Trust
To learn more about the recent Executive Order and its impact on your organization’s adoption of Zero Trust Architecture, visit our zero trust webpage where you can watch the webinar, Easy preparation steps to adopt Zero Trust, with Mike Brown, Frank Briguglio and David Pignolet; moderated by Johanna Baum, CEO and Founder of global cybersecurity and technology consultancy, S3.