Practically Speaking About IT Infrastructure

Choosing a New Cloud Provider? Let the Workload Be Your Guide

Improving IT efficiency, delivery, and cost structure There’s no question that customers are embracing cloud for all types of workloads. Whether the workloads are mission-critical, third-tier applications, or somewhere in between, the cloud has become the destination of choice for customers looking to improve their
6 Best Practices For Increasing Security In AWS In A Zero Trust World

6 Best Practices For Increasing Security In AWS In A Zero Trust World

AWS Security Best Practices Enterprises are rapidly accelerating the pace at which they’re moving workloads to Amazon Web Services (AWS) for greater cost, scale and speed advantages. And while AWS leads all others as the enterprise public cloud platform of choice, they and all Infrastructure-as-a-Service (IaaS) providers
John Pientka

Trust, But Verify. Not Today: Never Trust Always Verify

Reagan coined the phrase: “Trust, but verify” when dealing with the Soviets. In today’s world of Cyber it’s just not good enough. Welcome to the world of Zero Trust. What is it and what does it mean to you?

As computer use blossomed security rapidly became a major concern. How do you protect your key information; allow only legitimate users access, and keep the bad guys out? Our response was to build a digital fortress. We put in firewalls that allowed only authorized entry and we secured the communications by eliminating open internet connections through using only virtual private networks (VPN’s) that also required keys or codes to use.  The whole concept revolved around the idea that only those with the right credentials could open the gates and pass into the secure domain with the precious information.

Well how well did that work out? As you’ve read – it didn’t work out very well at all. Headline, after headline scream about this breach and that one. Private emails both embarrassing and scandalous are regularly revealed. Malicious characters and state actors vacuum up personal data of every stripe. What happened?

People happened. Humans are the key weakness of the fortress approach. The user is given (or creates) a password that enables him or her to enter the privileged domain. That means the user needs to protect that key to the kingdom. Unfortunately, that’s not what occurs. A recent study demonstrates that 74% of breaches were due to access credential abuse. Doesn’t do much good when the keys to the castle are spread all over the place.

Obviously, we can’t let this situation continue. Hence the rise of a new way of thinking about security: Zero Trust – never trust, always verify. In this concept the fundamental assumption of the fortress is overturned. Instead, just because you have the password does not mean you are who we think you are and you must be thoroughly checked out.

So what does “checked out” mean in this new security model (from Centrify – “Zero Trust Security for Dummies”):

  • Verify the User – A password alone is just not good enough. Here is where we use Multi Factor Authentication. Many of us have run into this already when in order to access an account the website texts a code to your registered phone that you also have to enter. The technique can be extended to all kinds of things that make you, you like biometric qualities, e.g. your fingerprint that unlocks your smartphone.
  • Validate the Device – Is the device the user is utilizing for access known to be associated with the user and at a regular location that the user would normally be located? If you are on your laptop, at home you are probably who you say you are. If you are on a strange machine in an Internet café in Tehran, not so much.
  • Limit Access and Privilege – Access is limited to what you need to do your job. Let’s say you write proposals for your employer. You probably need product information, past proposals and maybe certain approved pricing. But why should you be rummaging around in the HR or accounting systems?
  • Learn and Adapt – Zero Trust Security must continuously improve by learning and adapting. Information about the user, endpoint, application or server, policies, and all activities related to them can be collected and fed into a data pool that fuels machine learning. The system can then automatically recognize out-of-the-ordinary behaviors that immediately raise a red flag that may require a second form of authentication, or block access, depending on policies.

Makes a lot of sense doesn’t it? Surprisingly, it is not a new concept. NIST (National Institute of Standards and Technology) promoted it in 2010. In 2011, Google launched a Zero Trust approach it called BeyondCorp and claims great success. If it is so good why have we had all those awful breaches? That’s because mostly no one uses it. IDG’s 2018 Security Report indicates that only 8% of those surveyed are actively using it, while another 10% are piloting it.

What’s the problem? It’s not like no one knows about it. The same IDG report relates that most security professionals (71%) are aware of it. Partly, the concept needed some maturation and the machine learning tools needed to advance. But more importantly, unlike with the fortress approach the IT guys just can’t buy a firewall or VPN and claim things are secure.

IT and business leaders need to work together to implement Zero Trust as a strategy and business process. As we all know, when you set out to affect people, processes and organization, change can be difficult. Just look how long it has taken to adopt cloud and we still have a long way to go.

Cyber security is too important not to adopt models like Zero Trust. It’s kind of ironic that one of the principal bad guys out there are the same ones Reagan faced off in the 80’s – the Russians. Only now for our time it must be: “Never Trust, Always Verify”.

By John Pientka

  • Articles
John Pientka Contributor
Principal of Pientka and Associates
John is currently the principal of Pientka and Associates which specializes in IT and Cloud Computing. Over the years John has been vice president at CGI Federal, where he lead their cloud computing division. He founded and served as CEO of GigEpath, which provided communication solutions to major corporations. He has also served as president of British Telecom’s outsourcing arm Syncordia, vice president and general manager of a division at Motorola. John has earned his M.B.A. from Harvard University as well as a bachelor’s degree from the State University in Buffalo, New York.
Daren Glenister

What’s Next In Cloud And Data Security?

Cloud and Data Security It has been a tumultuous year in data privacy to say the least – we’ve had a huge increase in data ...
Cloud Services Are Vulnerable Without End-To-End Encryption

Cloud Services Are Vulnerable Without End-To-End Encryption

End-To-End Encryption The growth of cloud services has been one of the most disruptive phenomena of the Internet era.  However, even the most popular cloud ...
Michela Menting

Protecting Devices From Data Breach: Identity of Things (IDoT)

IoT Ecosystem It is a necessity to protect IoT devices and their associated data. As the IoT ecosystem continues to expand, the need to create ...
Firefox is testing a VPN, and you can try it right now - It’s part of the revitalized Firefox Test Pilot program

Firefox is testing a VPN, and you can try it right now – It’s part of the revitalized Firefox Test Pilot program

Last week, Mozilla said its Firefox browser would block third-party trackers for everyone by default and yesterday, Mozilla announced a new product that could give Firefox users even more privacy ...

Top Trends in Blockchain Technology; inching towards Web 3.0

There’s no shortage of news about mega digital commerce players controlling the algorithms that guide our daily actions and thoughts.  See Amazon Changed Search Algorithms in Ways to Boost its Own ...
BBC Tech

New Twitter algorithms aim to stamp out trolling

A new tool can identify Twitter accounts engaging in bullying with over 90% accuracy, according to researchers. Its algorithms classify two specific types of offensive online behaviour - cyber-bullying and ...