Approaches and tools to address digital trust are zero trust and zero trust network access. IT Europa attended last week’s ISACA conference in Rome, to find out about the take-up of such strategies.
ISACA is the global IT governance and compliance organisation that has 162,000 members. Many of them are responsible for making sure their IT departments buy and properly deploy and manage the right systems to keep their organisations within the law, when it comes to handling and securing data.
Zero trust eliminates implicit trust from IT systems and assumes that every user and every PC and gadget on the network is a threat to data security. It treats all data traffic as untrusted, requiring strict identity verification for every user, device and process before granting any permissions.
Such an approach acknowledges that the biggest threats to security can come from lateral movement within a network, so if something untoward is detected on the network it has to be stopped and quarantined there and then.
But while zero trust grants the least access possible to systems, effective deployments still enable legitimate system users to do their jobs effectively.
Zero trust network access
Protection systems to mitigate, manage and eradicate zero day attacks that have breached your network are therefore essential, and the companies – and governments – that realise this are adopting zero trust network access (ZTNA) systems.
In response to the rising threat from ransomware, last year, US president Joe Biden signed an executive order mandating public bodies to use ZTNA technology, and said he expected private companies to follow suit (particularly those going after government contracts).
Instead of just reacting to major incidents, Biden wants government and enterprises to do more to prevent them.
Network segmentation
As a first step to adopting ZTNA, organisations should move towards network segmentation. This is the practice of dividing networks into different logical segments and having complete control of the traffic going through and between those segments. It is designed to reduce the attack surface, preventing threats from spreading laterally throughout an organisation.
To do this businesses need a full view of all networks within the organisation. You must have visibility into the network, application, workload and process levels, as well as a view into multi-cloud or on-premise data centres where data assets are distributed across all geographies.
Automation
For large organisations, continually and dynamically updating the access privileges of users and devices on the network to reduce risk is potentially a big task. But the security systems available in the ZTNA space offer automation to complete the process through analytics and machine self-learning.
Matt Chiodi, is on ISACA’s digital trust advisory board. He says of the risks without digital trust being met: “The average ransomware pay-out was $312,000 in 2020 and it rose to $580,000 last year. Digital trust is needed to control the threats, from private clouds to public ones.”
Of ZTNA, he said: “It is estimated that over 70% of companies have started planning for ZTNA, and I think that is probably accurate, but IBM says there is only ‘low-level maturity’ across companies when it comes to the technology, and it’s right most organisations are very early in their take-up.”
Chiodi warns however that it isn’t just technology that is needed to protect apps and data, it is also policy. He says it is now harder to adopt holistic data security policies, as 50% of all business software is bought outside IT departments. And much of it is chosen and deployed without security features such as “single sign-on” - that enables users to safely access it from any device or location - or indeed, two-factor security.
“As the buyers of such software often don’t demand such security features, many of the vendors themselves have de-prioritised them too.” He says IT governance, audit and compliance specialists must insist on better security policies with the full backing of their boards.
ISACA is currently readying its new Digital Trust Framework, which we covered on IT Europa earlier this week.
Chiodi said: “Validations need to be done and proved, which our Framework will help with. By combining ZTNA, for instance, and working to a framework, companies will see costs related to any data breach coming down.”
