Security

Creating and managing a zero-trust security framework


Whereas traditional security mechanisms assume identities and devices inside a network can be trusted, the zero-trust…

“;
}
});

/**
* remove unnecessary class from ul
*/
$(“#inlineregform”).find( “ul” ).removeClass(“default-list”);

/**
* Replace “errorMessageInput” class with “sign-up-error-msg” class
*/
function renameErrorMsgClass() {
$(“.errorMessageInput”).each(function() {
if ($(this).hasClass(“hidden”)) {
$(this).removeClass(“errorMessageInput hidden”).addClass(“sign-up-error-msg hidden”);
} else {
$(this).removeClass(“errorMessageInput”).addClass(“sign-up-error-msg”);
}
});
}

/**
* when validation function is called, replace “errorMessageInput” with “sign-up-error-msg”
* before return
*/
function validateThis(v, form) {
var validateReturn = urValidation.validate(v, form);
renameErrorMsgClass();
return validateReturn;
}

/**
* DoC pop-up window js – included in moScripts.js which is not included in responsive page
*/
$(“#inlineRegistration”).on(“click”,”a.consentWindow”, function(e) {
window.open(this.href, “Consent”, “width=500,height=600,scrollbars=1”);
e.preventDefault();
});

security model operates on the basis that no internal or external user or device can ever be trusted by default.

The zero-trust concept was first introduced by Forrester Research in 2010. After Google and Cisco implemented it, the authentication and authorization method has grown in popularity.

Zero trust is a key concept in identity and access management (IAM) and is structured to limit a hacker’s access to an enterprise network.

“The need for a zero-trust security model has arisen in part because enterprises no longer tend to host data in-house but rather through a variety of platforms and services which reside both on and off premises with a host of employees and partners accessing applications via a range of devices in diverse geographical locations,” said Kevin Curran, Institute of Electrical and Electronics Engineers (IEEE) senior member and professor of cybersecurity at Ulster University in Ireland.

Simply put, “the traditional security model is no longer fit for purpose,” Curran said.

Here, Curran explains how enterprises can get started on the path to zero trust and offers insights into the challenges associated with zero-trust security frameworks.

Editor’s note: This interview has been edited for length and clarity.

How should an enterprise create and update a zero-trust security framework?

Kevin CurranKevin Curran

Kevin Curran: For zero-trust security to be effective, it requires new approaches, such as using network segmentation or microsegmentation based on users and locations. It requires enforcement of identity and access management, next-gen firewalls, orchestration, multifactor authentication (MFA) and file system permissions.

A zero-trust security framework can be introduced into an enterprise by:

  • Updating network security policies. Security policies need to be reviewed and audited for vulnerabilities and be tested regularly.
  • Validating each device logging in to the network. This is enforced through strong authentication mechanisms. It is also important to adopt the principle of least privilege for each user.
  • Implementing network segmentation. A variety of network, perimeter and microsegmentation will help secure the network.
  • Requiring MFA. Each user must proceed through this additional step in authentication.
  • Periodically reviewing user access. This prevents against slippage in the authenticated user base.

What are the challenges associated with zero-trust security models?

Curran: The zero-trust security framework is reliant on strong governance processes to secure an enterprise IT environment — therein lies the challenge as, in many cases, it forces enterprises to enforce new processes across the organization. This is never easy.

Another challenge is that employees may not take kindly to the added burdens of accessing machines and the reduced access levels enforced by the principle of least privilege.

There is a battle to change mindsets, especially among experienced staff. An institutional change with regards to security is needed. There is also effort involved in the technical realm, such as rolling out microsegmentation, which requires the reconfiguration of IP data to ensure there will be no interruption in the day-to-day environment. This is why it is important to have the CISO, CIO and senior management on board from the start to ensure success.


Source link

Tags

About the author

GG

Add Comment

Click here to post a comment

Your email address will not be published. Required fields are marked *

Do NOT follow this link or you will be banned from the site!