Exclusive: Google suspends some business with Huawei after Trump blacklist - source

Exclusive: Google suspends some business with Huawei after Trump blacklist – source

NEW YORK (Reuters) - Alphabet Inc’s Google has suspended business with Huawei that requires the transfer of hardware, software and technical services except those publicly available via open source licensing, a source familiar with the matter told Reuters on Sunday, in a blow to the
Facebook facing 20-year consent agreement after privacy lapses: source

Facebook facing 20-year consent agreement after privacy lapses: source

WASHINGTON (Reuters) - The social media giant Facebook Inc is headed toward an agreement with the U.S. government over its privacy policies and practices that would put it under 20 years of oversight, according to a source knowledgeable about the discussions. The agreement would resolve

Reagan coined the phrase: “Trust, but verify” when dealing with the Soviets. In today’s world of Cyber it’s just not good enough. Welcome to the world of Zero Trust. What is it and what does it mean to you?

As computer use blossomed security rapidly became a major concern. How do you protect your key information; allow only legitimate users access, and keep the bad guys out? Our response was to build a digital fortress. We put in firewalls that allowed only authorized entry and we secured the communications by eliminating open internet connections through using only virtual private networks (VPN’s) that also required keys or codes to use.  The whole concept revolved around the idea that only those with the right credentials could open the gates and pass into the secure domain with the precious information.

Well how well did that work out? As you’ve read – it didn’t work out very well at all. Headline, after headline scream about this breach and that one. Private emails both embarrassing and scandalous are regularly revealed. Malicious characters and state actors vacuum up personal data of every stripe. What happened?

People happened. Humans are the key weakness of the fortress approach. The user is given (or creates) a password that enables him or her to enter the privileged domain. That means the user needs to protect that key to the kingdom. Unfortunately, that’s not what occurs. A recent study demonstrates that 74% of breaches were due to access credential abuse. Doesn’t do much good when the keys to the castle are spread all over the place.

Obviously, we can’t let this situation continue. Hence the rise of a new way of thinking about security: Zero Trust – never trust, always verify. In this concept the fundamental assumption of the fortress is overturned. Instead, just because you have the password does not mean you are who we think you are and you must be thoroughly checked out.

So what does “checked out” mean in this new security model (from Centrify – “Zero Trust Security for Dummies”):

  • Verify the User – A password alone is just not good enough. Here is where we use Multi Factor Authentication. Many of us have run into this already when in order to access an account the website texts a code to your registered phone that you also have to enter. The technique can be extended to all kinds of things that make you, you like biometric qualities, e.g. your fingerprint that unlocks your smartphone.
  • Validate the Device – Is the device the user is utilizing for access known to be associated with the user and at a regular location that the user would normally be located? If you are on your laptop, at home you are probably who you say you are. If you are on a strange machine in an Internet café in Tehran, not so much.
  • Limit Access and Privilege – Access is limited to what you need to do your job. Let’s say you write proposals for your employer. You probably need product information, past proposals and maybe certain approved pricing. But why should you be rummaging around in the HR or accounting systems?
  • Learn and Adapt – Zero Trust Security must continuously improve by learning and adapting. Information about the user, endpoint, application or server, policies, and all activities related to them can be collected and fed into a data pool that fuels machine learning. The system can then automatically recognize out-of-the-ordinary behaviors that immediately raise a red flag that may require a second form of authentication, or block access, depending on policies.

Makes a lot of sense doesn’t it? Surprisingly, it is not a new concept. NIST (National Institute of Standards and Technology) promoted it in 2010. In 2011, Google launched a Zero Trust approach it called BeyondCorp and claims great success. If it is so good why have we had all those awful breaches? That’s because mostly no one uses it. IDG’s 2018 Security Report indicates that only 8% of those surveyed are actively using it, while another 10% are piloting it.

What’s the problem? It’s not like no one knows about it. The same IDG report relates that most security professionals (71%) are aware of it. Partly, the concept needed some maturation and the machine learning tools needed to advance. But more importantly, unlike with the fortress approach the IT guys just can’t buy a firewall or VPN and claim things are secure.

IT and business leaders need to work together to implement Zero Trust as a strategy and business process. As we all know, when you set out to affect people, processes and organization, change can be difficult. Just look how long it has taken to adopt cloud and we still have a long way to go.

Cyber security is too important not to adopt models like Zero Trust. It’s kind of ironic that one of the principal bad guys out there are the same ones Reagan faced off in the 80’s – the Russians. Only now for our time it must be: “Never Trust, Always Verify”.

By John Pientka

John Pientka

John is currently the principal of Pientka and Associates which specializes in IT and Cloud Computing.

Over the years John has been vice president at CGI Federal, where he lead their cloud computing division. He founded and served as CEO of GigEpath, which provided communication solutions to major corporations. He has also served as president of British Telecom’s outsourcing arm Syncordia, vice president and general manager of a division at Motorola.

John has earned his M.B.A. from Harvard University as well as a bachelor’s degree from the State University in Buffalo, New York.

View Website
Microsoft Professional Program in Cybersecurity

Microsoft Professional Program in Cybersecurity

As the number of cyberthreats continues to increase, the demand for skilled cyber professionals is also growing. Become knowledgeable on the wide set of skills that will allow you to start or grow a cybersecurity career. Protect. Describe the current threat ...

$990.00Learn More

CISSP® Exam Prep Course

CISSP® Exam Prep Course

The CISSP® Exam Prep Course prepares test-takers for the Certified Information Systems Security Professional exam, as administered by the International Information System Security Certification Consortium (ISC)2. The CISSP® certification is recognized worldwide and adheres to the strict standards of ISO/IEC ...

$549.00Enroll Now

Ajay Malik

The Quest to Bring Computers to People – Personal Computing

The quest to bring computers to people,' rather than people to computers" resulted in the invention of Personal Computer The ...
Avoiding the IOT ‘Twister’ Business Strategy

Avoiding the IOT ‘Twister’ Business Strategy

IOT ‘Twister’ Most organizations’ ‪ IOT Strategy look like a game of ‪ ‘Twister’ with progress across important IOT capabilities such as architecture, technology, ...
Data Policy is Fundamental for Trust

Data Policy is Fundamental for Trust

Data Policy Trust Consumers once owned and protected their data independent of anyone else. Handwritten letters, paper bank statements, medical ...
How cloud-based business management can help an SMB go global

How cloud-based business management can help an SMB go global

Global SMB Business Management Most companies today are familiar with the cloud; using software-as-a-service (SaaS) apps and customer relationship management ...
20 Leading Cloud CMS Wordpress Alternatives

20 Leading Cloud CMS WordPress Alternatives

Content management systems (CMS) have grown exponentially in recent years. Their number and features have exploded. There are now dozens ...
How Security Certification Helps Cloud Service Providers Stay Transparent and Credible

How Security Certification Helps Cloud Service Providers Stay Transparent and Credible

Security Certification Helps Cloud Service Providers If you are a cloud service provider (CSP), you know your customers have a ...
Bluejeans video SaaS

15 Promising Cloud-Based Video Conferencing Services

Cloud Video Conferencing Services We have put together a compilation of some of the best cloud based conferencing services for ...
HTML5 Speed Test

HTML5 Speed Test

HTML5 SPEED TEST SERVICES DAREBOOST Dareboost helps you check your website speed by running online tests based on Google Chrome ...