Zero Trust
The standpoint for zero trust is that a network architecture or a framework is more secure if components in the network distrusts each other component; assumes and treats all inter-device comms, internal and external traffic as if it had already bypassed some security measures.
As perimeter networking – castle and moat – is unrealistic and overtaken by ‘borderless’ networking, cloud deployment becomes the norm. There are changes to WoW – from desktop connected via ethernet cable (messy cable trays hanging around the workplace), to wireless (yes! neater) to virtualisation, then to cloud (the new network edge; this cannot be adequately mopol’d (think MObile POLice) using implicit trust or perimeter networking), to BYOD, WFH, Coffee shop transient workplace, IoT etc.
So, the gig is, only trust to the extent you can verify, make context-aware decisions. Assume threat until inspected, verified, and secured. Design access controls in real-time based on dynamic conditions (ephemeral creds)…chikina!!!
Yes, it is no longer digital transformation that IT has been buzzing us with for years now, but Security Transformation. Regardless of user’s role, each request must be carefully authenticated and authorised. Perhaps, I need your permission to redefine a user’s request to a composite model consisting of: a) user identity, b) device health at a point in time, then c) the application to access. With these 3 key control points, attainment to ZTM can be easily achieved – these require orgs to carefully look at their IAM strategy, SIEM tooling, IMS (Inventory Management System) platform, Application Access Control tools, Logging, Monitoring and Alerting tools in order to automate security and compliance.
Next step: we will deep dive into each of the above mentioned control points. The diagram above will guide the overall discussion.
Thanks for stopping by…
Recent Comments