Dan Panesar, VP EMEA at Certes Networks:
“The latest series of attempted hacks targeting organisations involved in next month’s Winter Olympics highlights just how extensive today’s IT infrastructure is and how many attack vectors there are for hackers to exploit.
In such a scenario, it only needs one user or one part of the extended network to be compromised, and the entire organisation is at risk.
Security mindset needs to change away from a prevention only approach and instead look to contain threats that will inevitably get past cyber defences – and the best way to do that is to adopt a ‘Zero Trust’ model and accept that access or ‘trust’ once within any part of the extended enterprise must be strictly limited.
Whoever owns the IT environment, when access is based on Zero Trust, the user or device only gains access to the specific applications and data they or it needs to undertake their role in the organisation. Building on existing policies for user access and identity management, it minimises the risk of damage, should a user’s credentials become compromised. Moreover, when access is granted, the application traffic is protected by cryptography, which is the segmentation that prevents it from being accessed by non-permitted users.
This means that, in the event of any breach the attacker is contained to that specific segment or application only; lateral movement is impossible. This approach also, critically, decouples security from the complexity of the IT infrastructure and addresses user and application vulnerability.
Shift the focus from infrastructure to trust and it doesn’t matter how complex technology has become, or how extensive the attack surface is, the security model remains simple and hence both manageable and relevant.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.