A Practical Approach To Zero Trust

May 14, 2020

Zero Trust security is becoming mainstream in the cyber security world. Phil Allen and Baber Amin, with Ping Identity, spend this session focusing on how to achieve a Zero Trust framework that supports business and digital transformations.

Champions Of Identity

Phil Allen, Ping Identity VP, calls Ping, “Champions of identity." Further, "We want to help people get the most out of the identities that they hold within their organizations, whether those are employees, whether those are business partners, or whether those are the consumer identities that they're managing on a day-to-day basis.” One of the keys to Ping’s success is their attention to the interactive digital experience. In fact, over 60% of the Fortune 100 organizations use Ping to help them get the most out of the identities that they manage.

What Is Zero Trust?

Traditionally, the network is considered a friendly, safe place. Zero Trust assumes that potential threats exist inside and outside the network at all times. Trusting nothing ensures that every device, user, and network flow is authenticated and fully authorized. Zero Trust means giving the right entities access to the right information at the right time.

With the expansion of remote working, cloud environments, and API utilization, traditional methods of security don’t work. COVID-19 is highlighting the need to access remote access and fix the bottlenecks that exist around firewalls and VPN access. However, this issue is not new. Current digital transformation efforts are removing the corporate digital divide, and with it, comes a viable security framework. Zero Trust ensures that access is provided securely and remotely with continual authorization and authentication.

Digital Trust And Digital Risk

Digital trust is dynamic. It is not tied to ownership or control. It is ephemeral, should only be used for a minimal and necessary amount of time, and for the purpose it was intended for.

Digital risk, on the other hand, is a variable level of security confidence. It is assigned by matching risk with risk tolerance to create a risk profile.

Defense In Depth

The Zero Trust process relies on some basic principles. Defense in depth starts with identification and authentication before issuing authorization. Data security elements encompass data at rest, in motion, and the access granting to data. Data privacy regulation comes into play here as well.  

The Zero Trust Journey

Remembering that Zero Trust is a philosophy, each organization is going to interpret Zero Trust principles in a way that works best for their organization. It is for this reason that Baber Amin warns against vendors offering a one-size-fits-all Zero Trust solution. Instead, Ping Identity starts with the basics. Fix your authentication and identification. Make them central and flexible. Mae sure they are pluggable and extensible.  

The Zero Trust solution is not static. It is supportive of both current and future application needs. A vendor partner should grow with you and adapt to your needs.

Next, leverage all possible risk signals. Gather as much context as possible. Making strong authorization decisions can create friction, but the information necessary to keep the network safe isn’t being stored or sold. Weak authorization decisions that avoid friction can lead to asking users to jump through multiple hoops for the sake of adding back in that layer of security. Plus, it doesn’t work.

Adding The Right Amount Of Friction

After the user is identified, how do you bring multi-factor authentication into the mix? It needs to be done intelligently. Your MFA must be as transparent as you can make it. Baber Amin elaborates: “Make sure that you support where your users are. [Don’t] force the users to adapt to your policies, or don't make the users adapt to your systems, but make sure that you help your users achieve the right level of productivity … by meeting them where they are and how they're interacting with your systems.”

Reducing reliance on passwords as primary factors is key. Passwords are the easiest vector for purposeful or inadvertent breaches.

Final Thoughts

A Zero Trust strategy involves multiple pieces. A single vendor isn’t right for every stop along the Zero Trust journey. The session conference wraps up with a three part summary: Make sure identity is your control plane, apply those controls in a seamless and consistent manner, and enable your users tow rok remotely in a manner that is secure.

During the Q&A segment, Phil and Baber answer attendee questions such as the role VPS has in the Zero Trust environment, low-investment Zero Trust implementation, how to get buy-in from executive teams, and more.

In order to hear the answers to these questions and get the most of this session, please go to the Cyber Security Digital Summit page, register, and then follow the link sent to your inbox.

Read the original article and additional information at Cyber Security Hub