I’m guessing Sam Cooke wasn’t intending to describe twenty-first century cybersecurity when he sang, “This is a mean old world to live in all by yourself,” but he certainly captured the sentiment of CIOs and CISOs struggling to make sense of the ever-growing landscape of security vendors and threats. Fortunately, with a zero trust framework by your side, you’re not all by yourself. “Zero trust” is a set of guiding principles that can help simplify and strengthen your cybersecurity defenses and it’s never been easier to get started. Securing devices and users is a convenient and impactful way to begin implementing a zero trust framework.
Zero trust embodies the idea that instead of relying on trust-based perimeter defenses (e.g., firewalls, DMZs), companies need interlinked security measures spanning their ecosystems that can enforce policies based on user context, data access controls, and device postures. Simply put, zero trust is a framework that facilitates a, “Never trust, always verify,” approach to cybersecurity.
Coined by Forrester over a decade ago, the original concept of zero trust was before its time, but today technology has caught up; providers are weaving formerly dispersed security products together into dynamic and contextually-aware offerings that adapt in real-time as employees change, technologies develop, and threats evolve.
When deployed effectively, the zero trust framework can provide companies the ability to monitor and defend against the lateral movement of malicious actors and code that has rendered perimeter defenses inadequate. Sophisticated cybercriminal attacks like denial-of-service, command-and-control, cryptojacking, phishing, ransomware, and even social engineering—to name a few— could be more readily addressed and prevented, saving companies an average of $2.3 million per incident.
While deploying a comprehensive framework like zero trust may sound intimidating, it shouldn’t. Zero trust is designed to simplify and consolidate security deployments, and can be built out incrementally, leveraging existing solutions that have adopted to this new era of interoperability.
During a recent interview with the Security Intelligence Podcast, Chase Cunningham, the principal analyst with the security and risk team at Forrester, shared his belief that the easiest place to start implementing zero trust is with devices and users. As the primary points where most breaches actually start, eliminating the really easy, simple stuff—bad passwords, the absence of multi-factor authentication (MFA), the unpatched systems that touch your networks, and all of the basic security hygiene issues that users and devices cause—companies can eliminate a large part of the problem. With more employees working remotely today than ever before, the attack surface for potential threats has grown much faster than the endpoint security measures in place at most companies.
In order to ensure that your endpoint management solution is meeting the requirements of zero trust, you must evaluate whether it builds digital trust – i.e., does your solution provide the right user, under the right conditions, the right access, to the right data, and does it integrate with your broader ecosystem.
The Right User
An essential element to ensuring that you’re dealing with the “right user” is the creation of user roles and corporate access policies (privilege controls) to be assigned and deployed to groups of users within your organization. Creating these dynamic role profiles and policies allows authentication and modification of access to company resources in real-time.
The Right Conditions
Zero trust deployments should be able to analyze contextual factors to help specify conditions surrounding data transmission and usage. Contextual behavior analytics can identify a variety of factors (where employees are logging in from, what files they’re attempting to access, the frequency of their requests, etc.) to help evaluate anomalies and identify potential threats. This contextual data should also be leveraged to facilitate risk-based profiling and conditional access to inform and enforce corporate policies in real-time.
The Right Access
Once users and permissions are defined, company data must flow extensively throughout a distributed web of company-owned and employee-owned laptops, cell phones, tablets, and IoT devices to facilitate ever-available resources for your employees. Enforcing VPNs, certs, and gateways and encrypting data can limit exposure for data in transit and containers deployed on each endpoint can facilitate the separation and independent management of company and personal data.
The Right Data
Data distributed to endpoints should facilitate employee productivity while limiting the risk of exposure. Employees will need access to a multitude of applications, and you will need a management layer to prevent malicious downloads and connections to untrusted third-party app stores. In order to streamline access to and protect whitelisted applications, single-sign-on can be leveraged with a mobile threat defense, anti-malware software, and automated patch management.
Once you have confirmed that your endpoint management solution builds digital trust, you must ensure that it can integrate with your broader security ecosystem to facilitate contextually-aware defenses. This interoperability is essential to your zero trust deployment as it will allow you to enforce dynamic security policies in real-time.
IBM Security is a market leader in context-driven zero trust security services and offers a rich portfolio of integrated products and services to facilitate the transition to zero trust.
IBM’s Unified Endpoint Management (UEM) solution, IBM Security MaaS360, is an ideal place to start your transition to zero trust, as it can help enforce digital trust across your devices and integrate with your broader security ecosystem.
Who knows, if Sam Cooke had known how easy it was to take the first step in deploying zero trust, he might have sung a different tune….