FINAL WORD
ABOUT THE AUTHOR
Joseph Carson is the Chief Security Scientist and Advisory CISO for ThycoticCentrify , a leading provider of cloud identity security solutions formed by the merger of privileged access management ( PAM ) leaders Thycotic and Centrify . Carson has over 25 years ’ experience in enterprise security , is the author of Privileged Account Management for Dummies and Cybersecurity for Dummies , and is a cybersecurity professional and ethical hacker . He is a cybersecurity advisor to several governments and the critical infrastructure , financial and transportation industries .
In hybrid working environments , employees don ’ t want to be constantly interrupted by security controls .
measures that vary based on factors such as the user ’ s device or the systems and information they access . Think of Zero Trust as a digital polygraph test that adapts to the risk potential of each interaction and – if implemented properly – authenticates users with as little friction as possible .
While we ’ ve been hearing about Zero Trust for a few years , it would be a mistake to think of the concept as a typical security solution . Rather than a list of boxes to be ticked off , it is more a mindset guiding each organization down a unique path determined by their individual infrastructure and objectives . It is about forcing attackers into taking more risks .
Key to Zero Trust is the ability to adapt security measures and verify authorization at every point , and there a number of technologies and techniques that can minimize impact to users . Single Sign-On ( SSO ), for example , significantly reduces friction because users only have to be verified once to gain access to different systems and information . However , it is important that passwords are not the only security controls .
PAM and EPM provide strong controls
Strong privilege controls are a vital element in reducing risk . A comprehensive Privileged Access Management ( PAM ) solution allows organizations to adopt the principle of least privilege , so that users can only access the data and applications they need .
In particular , PAM controls the privileges of admin accounts which adversaries target to gain full access to systems . It also controls access to valuable or sensitive information by privileged users who are targets for cybercriminals .
Endpoint Privilege Management ( EPM ) is an important tool that addresses risks associated with local admin access exploited by ransomware and other threats . EPM combines application control and PAM so only trusted , known applications can be run on user devices . It allows security to be adaptive and evolve to address new threats as opposed to relying on usernames and passwords and trusting users to always do the right thing .
Multi-Factor Authentication ( MFA ) is also an effective way to enforce adaptive authentication and has become very user-friendly in recent years thanks to biometrics . When users act suspiciously , such as attempting to access assets they don ’ t usually need , or logging in from new devices or locations , they can be challenged and have to verify themselves . With MFA , behavior can be continuously monitored in the background and additional verification required when a user exceeds their risk score limit .
A journey made one step at a time
Of course , no organization can ever be made 100 percent secure . Zero Trust , like security , is a journey which is best made one step at a time based on clear objectives . It requires a solid understanding of the value of an organization ’ s assets and a risk assessment of potential impacts . And , in a changing environment , this process should be dynamic , not just an annual audit .
Organizations then need to decide what controls will achieve the biggest risk reduction and break their Zero Trust strategy down into steps . Start with smaller use cases to get quick wins , and build on early successes to gain support and acceptance to protect the entire organization . A mature Zero Trust implementation will extend from endpoint systems and cloud environments to the supply chain and whatever the future brings .
At every step of the way , risk reduction must be achieved without increased friction for users . That is particularly important in supporting a hybrid work environment so employees can remain as productive as possible . And while users may thank you for it , Zero Trust strategies will have the opposite effect on threat actors , making it as difficult as possible for them to achieve their objectives and far more likely that they will be identified and their exploits averted . p
84 INTELLIGENTCIO NORTH AMERICA www . intelligentcio . com