Five Ways to Never Trust, Always Verify, in Zero-Trust IT
By Andy Doyle | November 5, 2015
Is your IT like an M&M? Does your security have a hard, crunchy exterior and soft, chewy interior? This M&M approach to security believes in perimeters to keep the bad people out, and at the same time “trust but verify” users (and assets, files, programs and data) inside the perimeter. Industry security experts dealing with headline breaches are signalling that this has to change.
It’s a reality of business life that SLAs and “squeaky wheels getting the oil” (think CEO complaining about a broken laptop) are priorities over security. When businesses prioritise availability over integrity and confidentiality the security controls and verification can be weak.
Threat sources are increasing due to the emergence of the use of mobile devices for work and the blurring of home versus work life. Leading industry observers are calling 2015 the year of Cyberwar and in most cases the headline breaches are not caused by network breaches, but instead by user breaches such as stolen credentials where the criminal walks through the front door with a key. Worse still, many breaches are still inside jobs.
According to the NIST and Forrester, in approximately 80% of all breaches IT security is the last one to know and they are often informed of the breach by third parties. The “trust but verify” model has broken down and a new model of “never trust, always verify”, or Zero Trust IT, has emerged.
So how do you move to a Zero Trust IT model?
Five Things You Can Do To Implement Zero Trust IT
Zero Trust IT is about no longer relying on just a firewall to divide untrusted from trusted and to now assume everything “inside” the firewall is also untrusted. IT security has, historically, been implemented mostly at the network layer with things like firewalls on the perimeter and on devices. In Zero Trust IT there is a shift in focus to add all of IT in the security scope.
An intruder in your IT systems can be likened to an intruder in your house at night. In the dark they need to bump and feel their way around to create a map, and in the way of doing so they knock over vases and leave marks on the walls. These signs of intrusion are the key verification in Zero Trust IT.
To implement Zero Trust IT you need to implement Audit and Compliance controls (like locking doors) and verification (listening for bumps in the night):
Manage users as untrusted entities: using controls to limit and verify user access to applications, systems and data.
Value data above networks: put in place file controls and monitoring.
“Log everything” is the new mantra: make sure your logging systems are trustworthy so rogue users can’t hide their tracks.
Track changes on your systems: receive real time alerts to limit breaches and also provide historical data for investigations to support disciplinary procedures.
Network security up to the end point: which can be a mobile phone today.