Article | July 29, 2020
1. Zero Trust – Demystified
Everyone seems to be talking about Zero Trust in the security world at the moment. Unfortunately there seems to be multiple definitions of this depending on which vendor you ask. To help others understand what Zero Trust is, this white paper covers the key aspects of a Zero Trust model.
1.1. What is Zero Trust
Zero Trust is a philosophy and a related architecture to implement this way of thinking founded by John Kindervag in 2010. What it isn’t, is a particular technology!
There are three key components to a Zero Trust model:
1. User / Application authentication – we must authenticate the user or the application (in cases where applications are requesting automated access) irrefutably to ensure that the entity requesting access is indeed that entity
2. Device authentication – just authenticating the user / application is not enough. We must authenticate the device requesting access as well
3. Trust – access is then granted once the user / application and device is irrefutably authenticated.
Essentially, the framework dictates that we cannot trust anything inside or outside your perimeters. The zero trust model operates on the principle of 'never trust, always verify’. It effectively assumes that the perimeter is dead and we can no longer operate on the idea of establishing a perimeter and expecting a lower level of security inside the perimeter as everything inside is trusted. This has unfortunately proven true in multiple attacks as attackers simply enter the perimeter through trusted connections via tactics such as phishing attacks.
1.2. Enforcing the control plane
In order to adequately implement Zero Trust, one must enforce and leverage distributed policy enforcement as far toward the network edge as possible. This basically means that granular authentication and authorisation controls are enforced as far away from the data as possible which in most cases tends to be the device the user is using to access the data. So in essence, the user and device are both untrusted until both are authenticated after which very granular role based access controls are enforced.
In order to achieve the above, a control plane must be implemented that can coordinate and configure access to data. This control plane is technology agnostic. It simply needs to perform the function described above. Requests for access to protected resources are first made through the control plane, where both the device and user must be authenticated and authorised. Fine-grained policy can be applied at this layer, perhaps based on role in the organization, time of day, or type of device. Access to more secure resources can additionally mandate stronger authentication. Once the control plane has decided that the request will be allowed, it dynamically configures the data plane to accept traffic from that client (and that client only). In addition, it can coordinate the details of an encrypted tunnel between the requestor and the resource to prevent traffic from being ‘sniffed on the wire’.
1.3. Components of Zero Trust and the Control Plane
Enforcing a Zero Trust model and the associated control plan that instructs the data plane to accept traffic from that client upon authentication requires some key components for the model to operate. The first and most fundamental is micro-segmentation and granular perimeter enforcement based on:
Their devices and its security posture
Their Context and other data
The above aspects are used to determine whether to trust a user, machine or application seeking access to a particular part of the enterprise.
In this case, the micro-segmentation technology essentially becomes the control plane. Per the above section, encryption on the wire is a key component of Zero Trust. For any micro-segmentation technology to be an effective control plane, it must:
Enforce traffic encryption between endpoints
Authenticate the user and machine based on their identity and not the network segment they are coming from.
1.4. Zero Trust Technologies
As stated earlier, Zero Trust is an architecture. Other than micro-segmentation, the following key technologies and processes are required to implement Zero Trust:
Multifactor authentication – to enforce strong authentication
Identity and Access Management – to irrefutably authenticate the user / application and the device
User and network behaviour analytics – to understand the relative behaviours of the user and the network they are coming from and highlight any unusual behaviour compared to a pre-established baseline which may indicate a compromised identity
Endpoint security – to ensure that the endpoint itself is clean and will not act as a conduit for an attacker to gain unauthorised access to data
Encryption – to prevent ‘sniffing of traffic on the wire’
Scoring – establishing a ‘score’ based on the perimeters above that will then determine whether access can be granted or not
Apart from the above key components, the following are needed as well:
File system permissions – needed in order to implement role based access controls
Auditing and logging – to provide monitoring capabilities in case unauthorised access is achieved
Granular role based access controls – to ensure access is on a ‘need to know basis only’
Supporting processes – all of the above needs to be supported by adequate operational procedures, processes and a conducive security framework so that the model operates as intended
Mindset and organisational change management – since Zero Trust is a shift in security thinking, a mindset change managed by robust change management is required to ensure the successful implementation of Zero Trust in an organisation.
1.5. Challenges with Zero Trust
So Zero Trust sounds pretty awesome, right? So why haven’t organisations adopted it fully?
As with any new technology or philosophy, there are always adoption challenges. Zero Trust is no different. At a high level, the key challenges in my experience are:
Change resistance – Zero Trust is a fundamental shift in the way security is implemented. As a result, there is resistance from many who are simply used to the traditional perimeter based security model
Technology focus as opposed to strategy focus – since Zero Trust is a model that will impact the entire enterprise, it requires careful planning and a strategy to implement this. Many are still approaching security from the angle that if we throw enough technology at it, it will be fine. Unfortunately, this thinking is what will destroy the key principles of Zero Trust
Legacy systems and environments – legacy systems and environments that we still need for a variety of reasons were built around the traditional perimeter based security model. Changing them may not be easy and in some cases may stop these systems from operating
Time and cost – Zero Trust is an enterprise wide initiative. As such, it requires time and investment, both of which may be scarce in an organisation.
1.6. Suggested Approach to Zero Trust
Having discussed some challenges to adopting a Zero Trust model above, let’s focus on an approach that may allow an organisation to implement a Zero Trust model successfully:
1. Take a multi-year and multi-phased approach – Zero Trust takes time to implement. Take your time and phase the project out to spread the investment over a few financial years
2. Determine an overall strategy and start from there – since Zero Trust impacts the entire enterprise, a well-crafted strategy is critical to ensure success. A suggested, phased approach is:
a. Cloud environments, new systems and digital transformation are good places to start – these tend to be greenfield and should be more conducive to a new security model
b. Ensure zero trust is built into new systems, and upgrades or changes – build Zero Trust by design, not by retrofit. As legacy systems are changed or retired, a Zero Trust model should be part of the new deployment strategy
c. Engage a robust change management program – mindset adjustment through good change management
3. Take a risk and business focus – this will allow you to focus on protecting critical information assets and justify the investments based on ROI and risk mitigation
4. Ensure maintenance and management of the new environment – as with everything, ensure your new Zero Trust deployment is well maintained and managed and does not degrade over time.
To summarise, Zero Trust is a security philosophy and architecture that will change the way traditional perimeter based security is deployed. A key component of it is the control plane that instructs the data plane to provide access to data. Zero Trust dictates that access can only be granted once the user / application and device are irrefutably authenticated and even then this access is provided on a ‘need to know’ basis only. Micro-segmentation is a key technology component of Zero Trust implementation and this paper has stated other key technology components and processes that are needed to implement Zero Trust adequately. This paper has discussed some of the challenges with implementing Zero Trust which include change resistance as well as legacy systems. The paper then provided an approach to implementing Zero Trust which included taking a phased approach based on a sound strategy underpinned by a risk and business focused approach.
Article | February 20, 2020
Technology is reshaping society – artificial intelligence (AI) is enabling us to increase crop yields, protect endangered animals and improve access to healthcare. Technology is also transforming criminal enterprises, which are developing increasingly targeted attacks against a growing range of devices and services. Using the cloud to harness the largest and most diverse set of signals – with the right mix of AI and human defenders – we can turn the tide in cybersecurity. Microsoft is announcing new capabilities in AI and automation available today to accelerate that change. Cybersecurity always comes down to people – good and bad. Our optimism is grounded in our belief in the potential for good people and technology to work in harmony to accomplish amazing things. After years of investment and engineering work, the data now shows that Microsoft is delivering on the potential of AI to enable defenders to protect data and manage risk across the full breadth of their digital estates.
Article | June 18, 2021
In this modern world of technology, ensuring information security is very important for the smooth running of any organization. Unfortunately, there are many information/cyber security threats, including malware, ransom ware, emotet, denial of service, man in the middle, phishing, SQL injection, and password attacks. Whatever your business is, no doubt, it can collapse your business and your dreams. However, the severity of its after-effects depends upon the type of business you do.
As information security threat has become a hurdle for all organizations, companies must implement an effective information security management system. In 2019 alone, the total number of breaches was 1473. It is increasing every year as businesses are doing digital transformation widely. Phishing is the most damaging and widespread threat to businesses, accounting for 90% of organizations' breaches.
This article lets you understand what ISMS is and how it can be effectively implemented in your organization.
Information Security Management System (ISMS)
According to ISO/IEC 27001, Information Security Management System (ISMS) refers to various procedures, policies, and guidelines to manage and protect organizations' information assets. In addition, the system also comprises various other associated resources and activities frameworks for information security management.
Organizations are jointly responsible for maintaining information security. People responsible for security in an organization ensure that all employees diligently meet all policies, guidelines, and other objectives regarding protecting information. Also, they safeguard all assets of the organization from external cyber threats and attacks.
The goal and objective of the system are to protect the confidentiality, integrity, and availability of assets from all threats and vulnerabilities. Effectively implementing an information security management system in your organization avoids the possibility of leaking personal, sensitive, and confidential data and getting exposed to harmful hands. The step-by-step implementation of ISMS includes the process of designing, implementing, managing, and maintaining it.
Implementing ISMS in Organizations
The standard for establishing and maintaining an information security management system in any organization is ISO 27001. However, as the standard has broad building blocks in designing and implementing ISMS, organizations can shape it according to their requirements.
Effectively implementing ISMS in organizations in compliance with ISO 27001 lets you enjoy significant benefits. However, an in-depth implementation and training process has to be ensured to realize these benefits comprehensively. Therefore, let us look into how an information security management system can be successfully implemented in your organization.
The first step in implementing ISMS is identifying the assets vulnerable to security threats and determining their value to your organization. In this process, devices and various types of data are listed according to their relative importance. Assets can be divided across three dimensions: confidentiality, integrity, and availability. It will allow you to give a rating to your assets according to their sensitivity and importance to the company.
Confidentiality is ensuring that the assets are accessed by authorized persons only.
Integrity means ensuring that the data and information to be secured are complete, correct, and safeguarded thoroughly.
Availability is ensuring that the protected information is available to the authorized persons when they require it.
Policies and Procedures and Approval from the Management
In this step, you will have to create policies and procedures based on the insights you got from the first step. It is said to be the riskiest step as it will enforce new behaviors in your organization. Rules and regulations will be set for all the employees in this step. Therefore, it becomes the riskiest step as people always resist accepting and following the changes. You also should get the management approval once the policies are written.
Risk assessment is an integral part of implementing an Information Security Management System. Risk assessment allows you to provide values to your assets and realize which asset needs utmost care. For example, a competitor, an insider, or a cybercriminal group may want to compromise your information and steal your information. With a simple brainstorming session, you can realize and identify various potential sources of risk and potential damage. A well-documented risk assessment plan and methodology will make the process error-free.
In this step, you will have to implement the risk assessment plan you defined in the previous step. It is a time-consuming process, especially for larger organizations. This process is to get a clear picture of both internal and external dangers that can happen to the information in your organization.
The process of risk treatment also will help you to reduce the risks, which are not acceptable. Additionally, you may have to create a detailed report comprising all the steps you took during the risk assessment and treatment phase in this step.
If you want effectively implement all the policies and procedures, providing training to employees is necessary. To make people perform as expected, educating your personnel about the necessity of implementing an information security management system is crucial. The most common reason for the failure of security management failure is the absence of this program.
Once policies and procedures are written, and necessary training is provided to all employees, you can get into the actual process of implementing it in your organization. Then, as all the employees follow the new set of rules and regulations, you can start evaluating the system's effectiveness.
Monitoring and Auditing
Here you check whether the objectives set were being met or not. If not, you may take corrective and preventive actions. In addition, as part of auditing, you also ensure all employees are following what was being implemented in the information security management system. This is because people may likely follow wrong things without the awareness that they are doing something wrong. In that case, disciplinary actions have to be taken to prevent and correct it. Here you make sure and ensure all the controls are working as you expected.
The final step in the process of implementing an information security management system is management review. In this step, you work with the senior management to understand your ISMS is achieving the goals. You also utilize this step to set future goals in terms of your security strategy.
Once the implementation and review are completed successfully, the organization can apply for certification to ensure the best information security management practices.
Organizations benefit from implementing and certifying their information security management system. The organization has defined and implemented a management system by building awareness, training employees, applying the proper security measures, and executing a systematic approach to information security management. Thus implementation has the following benefits:
Minimized risk of information loss.
The increased trust of customers in the company as the company is ISO/IEC 27001 certified.
Developed competencies and awareness about information security among all employees
The organization meets various regulatory requirements.
Frequently Asked questions
What are the three principles of information security?
Confidentiality, integrity, and availability (CIA) are the three main principles and objectives of information security. These are the fundamental principles and the heart of information security.
How does information security management work?
Information security management works on five pillars. The five pillars are assessment, detection, reaction, documentation, and prevention. Effective implementation of these pillars determines the success of the information security management in your company.
What are the challenges in information security management?
Challenges in information security management in your company can be the following:
You can’t identify your most critical data
Policies aren’t in place for protecting sensitive information.
Employees aren’t trained in company policies.
Technology isn’t implemented for your policies.
You can’t limit vendor access to sensitive information.
Article | March 30, 2020
A decade ago, Stuxnet pulled me into the accelerating, widening gyre of cybersecurity. I began to devote less time to global health, a topic on which I spent the previous decade developing familiarity and producing a large carbon footprint. I would frown when cybersecurity analysis borrowed concepts from public health, thinking, “if they only knew the life-and-death troubles that health practitioners face implementing those concepts.” Cybersecurity and public health are different challenges. Yet, the COVID-19 pandemic has cybersecurity relevance because it has generated sobering reminders of long-standing problems, unresolved controversies, and unheeded warnings that continue to characterize U.S. cybersecurity.