Increasing pressure on many organizations to meet compliance requirements has resulted in a push to adopt a zero-trust approach. However, for a zero trust implementation to be successful, enterprises must obtain a thorough understanding of the nuances of the framework. That’s what Vanguard Integrity Professionals wrote in this year’s Arcati Mainframe Yearbook.
They went on to say that zero trust is a paradigm shift about how people view security. One of the things needed to communicate back to your management or within the organization is that zero trust can actually automate a lot of the different data protections and governance requirements required of your organization from different geographic locations, whether it is GDPR, the California GDPR requirement, or data privacy requirements. Zero trust can aid in the process of achieving compliance with governance regulations and has the significant added benefit of ensuring better security for transactional activities within your environment.
The reality is that zero access will aid an organization in achieving better security as well as providing cost savings in the long run – and it means the company won’t end up on the front page of a popular magazine or a newspaper article.
Zero trust ensures that when people are connecting to the system and looking at data, they are the proper people to do it. Another idea in zero trust is that I trusted you last time but that doesn’t mean I trust you this time, and I will need to re-evaluate you and verify that you are a trustworthy person or transaction for a resource. There also needs to be trust that the person or transaction is coming from a location that has not increased the risk that you are now providing an attack factor.
A way zero trust can help an organization save money is that many countries around the world are actively working on data protection and data privacy and one of the biggest problems with data protection and data privacy is that it’s responsible for the proliferation of data inside and outside the organization.
Let’s say you’ve got an individual within a bank or a healthcare institution, and they’ve got information that they need to send out, either within the organization or outside the organization. One of the things that zero trust can do is allow you to mark the data that you are sending with a sensitivity label. If somebody has information about my healthcare or my finances and they go to send an email or transfer the data, a zero-trust architecture can look at that data before it leaves your organization and realize that the data contained has privacy or financial data included. In response, it will either refuse to send it out, ensure that it gets categorized properly, and will also ensure that it’s encrypted so that nobody else can get access to that data.
Should there be a difference between an on-premises zero trust and a cloud zero trust? What that’s really asking is: should you be more suspicious of transactions and resources in the cloud than what happens on your network? The answer to that question should always be no. You shouldn’t trust anybody ever. You should always believe that your network has been penetrated and act accordingly.
Not only the threat from people outside the organization. Some of the biggest traces of data have been from people working in the organization. It’s estimated that 35% to 40% of data that is exfiltrated comes from an inside attack and it may be more than that because many organizations do not report it.
As people change jobs within an organization, ensure that there is a defined role with entitlements, which match that user and their job functions. Entitlements can change frequently at some organizations. There are requirements and solutions available such as SOX (Sarbanes-Oxley Act) compliance, which requires a recertification of access on an annual or biannual basis.
Executive management has a fiduciary responsibility to follow the requirements of compliance guidelines. Almost every compliance guideline requires management to go through and review activity logs of users on an ongoing basis to look for suspicious activity and to review violations and respond to them accordingly.
Organizations can use the existing solutions they have in place. They just need to be convinced to use them in a more automated and architectural fashion. In other words, everything’s going to blend together and work together to become a great way to take all of the logs from all the different systems, send them down to a single place for aggregation and correlation to look for those records that indicate a problem has or is occurring.
Learn from the mistakes of large organizations. For example, the Target was breached in 2013. Target had a SIM in-house that alerted them to the fact that they had data leaving their organization (some alerted them twice!). Their security operation centre noticed it and notified the company that there was a potential problem. Target ignored the notification, and the rest is history.
Organizations need to have the right people doing the right things, and that is the zero-trust concept. Don’t trust anybody for anything and that’s really the paradigm shift.
You can read the full article from Vanguard Integrity Professionals here.
No comments:
Post a Comment