TRUST has always been a dangerous commodity in IT. In the era of cloud computing and work from anywhere, in which attacks grow continually more sophisticated and defensible perimeters no longer exist, it’s a luxury that neither channel pros nor their customers can afford. Businesses today need a new approach to protecting information and assets that many experts call “zero-trust security.”
At a recent SMB Forum event, ChannelPro asked three experienced providers of cybersecurity services to explain exactly what that term means and how to put it into practice with end users. Here are their thoughts on three fundamental questions about a critical concept.
1. What is zero-trust security?
More than a specific technology, or even a set of them, zero-trust security is a mindset in which no person, process, application, or endpoint—inside or outside the network—is considered implicitly trustworthy, and every attempt to access any resource must prove that it comes from a legitimate source with appropriate privileges.
“I think about it in terms of authentication,” says Michael O’Hara, principal consultant at MEDSEC Privacy Consulting, a healthcare industry cybersecurity service provider. “What you’re really looking at is who’s trying to access the data, who or what has the ability and the rights to access the data, and how is that being monitored so that at any given time a person trying to access a workload, whether it’s in the cloud or on-prem, is authenticated and validated.”
That, in turn, is fundamentally an exercise in defining, setting, and enforcing sound policies, according to Bruce McCully, chief security officer at Nashville, Tenn.-based Galactic Networks, a managed security services provider. “What we’re doing with our partners and other MSPs to help them protect themselves is really help them get to a point where they’re managing these different policies and basically monitoring them for changes and abuse, rather than just throwing on more and more agents and hoping that the next anti-virus is going to protect them,” he says.
O’Hara stresses the particular importance of policies that give people everything they need to do their job—but nothing more—by assigning access rights on a “least privilege necessary” basis. The same logic should apply to applications, hardware, and everything else, he adds.
“When we think about traditional least privilege, it’s for users,” O’Hara notes. “We don’t really think about that when we’re talking about our workloads or our network equipment or our servers.”