Which Zero Trust solutions are most effective at protecting data at the enterprise level?
Sort by:
At my last company, it was mainly internal. There wasn't really any external access. We used two-factor authentication, standard stuff. There was a lot of focus on what type of data you’re protecting, because certain data is more valuable than others. Data that was "high IP" definitely had to have two-factor authentication, for example. Low IP data maybe doesn't need two-factor authentication. So we spent a lot of time on classifying the IP.
Prioritization is key but it's different if you look at the Colonial Pipeline incident. Their high IP asset was the actual pipeline, so when they got hit, they went to the network closet and started unplugging all the industrial control systems so the pipeline wouldn't have to shut down, but they ended up shutting it down anyway because they didn't have any other remediation to perform. What a mess. And hospitals are doing that. Everybody is doing that. It's the best solution for now.
Another security concept here is the “Secure Access Service Edge” (SASE). You purchase the entire remote access and security stack outside your own data centers. It’s particularly good for companies that are national or international because a large provider can provide those access points no matter where they are. We're used to the model of surrounding everything with a fortress, with remote access servers granting access at the edge, plus all the services needed to decide whether you let them in or not. The SASE concept is about buying that as a service and it fits in with Zero Trust.
Instead of using your own bandwidth in and out of your company, a user’s remote access laptop would connect to the SASE provider (such as vendor Zscaler), and they do the authentication and security. With Office 365, for example, user traffic can simply be routed directly to Microsoft, with no need to route that back to your own data centers. The SASE vendor needs a link to your Active Directory to authenticate users, but in some cases, if they're using email and SaaS, users are redirected out to the Internet from there, and their traffic may never even come back into to your “fortress” and your data center unless the user starts using an in-house application. Then only that traffic would come back to your fortress. If the user needs Office 365, just route them there. If they're going to some SaaS platform, just send them to where that’s hosted. There’s no need to send user traffic back to company data centers at all unless they really need to come back there for it. Oh, OK, it sounds like we’ll be discussing SASE technology in the next session!
I know that for some companies, business intelligence (BI) and data management have to be running on internal databases for the most part. Our data and BI stuff is all done externally now. It's hosted somewhere else and all the data is piped in through somewhere else, so we don't have that issue anymore.