Which Zero Trust strategies have you found the most success with?
Sort by:
I've got a client mailing PGP keys out to us as we speak so we can access their stuff. I haven't had personal experience with them, but I will by next week. As far as deployment though, having them mailed to us is like, "Oh great, I've got at least another four days before I'm onboarded to do the work that you just paid us to do."
Yeah, it's not perfect but at least we're all starting to think about it, and that makes me happy. The news of all these companies shutting down doesn't make me happy, but it needs more attention than what it's been getting in the past.
We assess the risk of each and every application. We analyze what type of risk each application poses in a risk matrix. We give each a score to determine what could be lost if we didn’t have access to it. For example, what are you going to lose if you can’t access salesforce.com versus what are you going to lose if you can’t access the enterprise resource planning (ERP) system? We manage risk that way.
Also, we're trying to get rid of any inessential information that is sensitive or personally identifiable in that segment. Nowadays even somebody's name and address is classified as personal information, so it's been challenging. But why do you need to have anyone’s social security number? Why do you need to have their bank account information? If you ever do need it, direct them to a certain site and obtain the information that way. Don't store it. So our zero trust approach is about risk management at the application level, at the data element level, and then securing applications based on the business risk they pose.
Locks are only for honest people. They keep honest people honest. The people who don't want to be honest will find a way past them. In the old days it was hard shell, soft center. If the shell was breached, that’s it, the hackers got anything they wanted. So to me, zero trust was building a bunch of smaller islands with shells around them and insulating them that way. Everybody was relying on SolarWinds. Ultimately, Microsoft's source code was compromised. Is Exchange 365 next? I don't know but it could be. You can't protect everything and you can't afford to protect everything, so what is it that you really need to protect? Focus on that, because some of the other stuff doesn't matter.
Zero Trust, conceptually, is about borderless access with improved authentication. Maybe with a password, maybe passwordless. Perhaps with a user or device certificate. Might utilize a device health check or an IP address or device geolocation check. Zero Trust will use multi-factor authentication for sure. And Zero Trust can work either with or without a VPN.
There are a lot of people exploring PGP keys,like YubiKeys, to avoid multi-factor authentication (MFA). You just stick a YubiKey or another hardware key in your laptop to work. I've used those to a certain level of success. It’s similar to the RSA days when you had that little token which people would lose every week. For every token lost I had to go get a new one for $200. People are better about it than they were back then, and it's still an issue, but it's probably one of the most secure ways to access your environment.