Has your organization managed to implement zero trust access?

Security & GRCIdentity & Access Management (IAM)
2.8k viewscircle icon1 Upvotecircle icon4 Comments
Sort by:
Managing Partner & CISO in Software4 years ago

I have so many thoughts on Zero Trust's overall model. This is a little cynical, but the cyber industry just feeds to perpetuate itself in a meaningful way. Google and Uber pioneered a lot of the discussion around the Zero Trust network, but there are probably 90 different definitions of what Zero Trust means. We're 25 years into this and we still haven't solved identity and access. Either coarse-grained, or fine-grained, however you look at it, we're still having the conversations.

My favorite example is that every year we, as an industry, publish the 100 worst passwords and have a good chuckle. The question I've asked every year is, "Why do we not hold software vendors to account and actually prohibit those passwords at a hash level, from ever being used in a software?" It would be easy to do and we would immediately take care of stupid admin issues. The reason is the software vendors have no incentive to do that, even though it would probably be less than a few hours of coding.

We have enterprises that won't push them to do it either. Instead, we have a self-perpetuating system: "We are going to create some new technology instead. We'll get it funded, take it to IPO, and then make a bunch of money. Then we're going to create another piece of technology that's slightly different, with a new shade of purple, but still doesn’t solve any problems." The biggest opportunity is to solve the innovation buyer-seller cycle, and that needs to happen in a profound way. Until we solve that, we're just going to be in this world we're in today.

Lightbulb on3
IT Manager in Services (non-Government)4 years ago

Zero Trust is a tool, but it's almost like we have to start looking at it the way we've looked at SDLC. Because it's that directory. It starts with those HR processes, pulling them together with automation and getting that Zero Trust, because if that directory has any form of corruption, that's it. That means your life cycle of that identity is flawed. You could do all the periodic reviews and audits you like, but it could have an account that could live there for years and be legitimate. That is the threat.

Lightbulb on2
VP, Chief Security & Compliance Officer in Software4 years ago

We're getting ready to pilot a startup company with some tech from a Zero Trust perspective—it's the identity issue, especially with a heavy cloud presence. For me, there’s a bit of frustration because when I talk about Zero Trust and our identity access strategy, it's always about the human factor. But that's not my problem right now.

My problem is I've got these multi-structured relationships—new digital capabilities—that are leveraging the cloud, as they should. My new port problem is my API and trying to be able to watch workloads as they execute to make sure it's authorized.. These are identity issues around non-human space. We're doing a pilot in that space because I think Zero Trust is deeper than what we originally categorized it as.

Lightbulb on1
Head of Security and Compliance in Software4 years ago

Cloud native companies generally consume a lot of cloud services and continuously learn from the market innovations. Zero Trust access is still a challenge. There's a lot of buzz around it and people might be claiming they’ve implemented it, but I don't think anybody can really say that they fully achieved it. Yes, there are tools in some of the services, but are they really covering everything?

Lightbulb on2

Content you might like

Zoom Video Communications has agreed to pay $85 million to settle a California lawsuit. They have been accused  of improperly sharing customer information with Facebook, Google and LinkedIn and allowing strangers to enter unprotected Zoom meetings in an activity known as "Zoombombing." Have you ever been "zoombombed" in a meeting?

Yes60%

No39%

Does your company offer international customers payment methods that are specific to their country or region?  (i.e., SEPA, iDeal, Sofort, etc.)

Yes70%

No29%

Do you have a lock out policy for system accounts? If so, how many attempts do you have it set too? 

Have you considered not having a lock out policy where accounts are vaulted / rotated & standing access is removed?

As part of our NYSE IPO prep, we’re debating how to communicate our system hardening efforts in regulatory disclosures (e.g., SEC Form 20-F, SFC).

Would you recommend sharing % compliance (e.g., “85% CIS Tier 2”) or sticking to qualitative descriptions of how we identify and mitigate risks? Also, do SFC/ISO 27001 expectations require full ISMS integration, or is a % model acceptable?

We’re preparing for an IPO on the NYSE as a Foreign Private Issuer and evaluating CIS Benchmarks to measure OS and database hardening.

Our proposed tiers:
• Tier 1 (70–80%) baseline
• Tier 2 (85–90%) for sensitive data
• Tier 3 (95–100%) for mission-critical systems

Is 80% compliance defensible for IPO due diligence with SEC or SFC? Should Tier 3 be considered mandatory for critical systems? And can compensating controls (e.g., PAM, microsegmentation) offset gaps in legacy environments?