Which Zero Trust strategies have you found the most success with?


1.9k views6 Comments

Chief Information Officer in Finance (non-banking), 201 - 500 employees
Zero Trust, conceptually, is about borderless access with improved authentication. Maybe with a password, maybe passwordless. Perhaps with a user or device certificate. Might utilize a device health check or an IP address or device geolocation check. Zero Trust will use multi-factor authentication for sure. And Zero Trust can work either with or without a VPN.
2
Managing Partner in Services (non-Government), 11 - 50 employees
Locks are only for honest people. They keep honest people honest. The people who don't want to be honest will find a way past them. In the old days it was hard shell, soft center. If the shell was breached, that’s it, the hackers got anything they wanted. So to me, zero trust was building a bunch of smaller islands with shells around them and insulating them that way. Everybody was relying on SolarWinds. Ultimately, Microsoft's source code was compromised. Is Exchange 365 next? I don't know but it could be. You can't protect everything and you can't afford to protect everything, so what is it that you really need to protect? Focus on that, because some of the other stuff doesn't matter.
1
VP IT & Ecommerce in Finance (non-banking), 51 - 200 employees
We assess the risk of each and every application. We analyze what type of risk each application poses in a risk matrix. We give each a score to determine what could be lost if we didn’t have access to it. For example, what are you going to lose if you can’t access salesforce.com versus what are you going to lose if you can’t access the enterprise resource planning (ERP) system? We manage risk that way.

Also, we're trying to get rid of any inessential information that is sensitive or personally identifiable in that segment. Nowadays even somebody's name and address is classified as personal information, so it's been challenging. But why do you need to have anyone’s social security number? Why do you need to have their bank account information? If you ever do need it, direct them to a certain site and obtain the information that way. Don't store it. So our zero trust approach is about risk management at the application level, at the data element level, and then securing applications based on the business risk they pose.
1
CISO in Software, 51 - 200 employees
There are a lot of people exploring PGP keys,like YubiKeys, to avoid multi-factor authentication (MFA). You just stick a YubiKey or another hardware key in your laptop to work. I've used those to a certain level of success. It’s similar to the RSA days when you had that little token which people would lose every week. For every token lost I had to go get a new one for $200. People are better about it than they were back then, and it's still an issue, but it's probably one of the most secure ways to access your environment.
2 2 Replies
Managing Partner in Services (non-Government), 11 - 50 employees

I've got a client mailing PGP keys out to us as we speak so we can access their stuff. I haven't had personal experience with them, but I will by next week. As far as deployment though, having them mailed to us is like, "Oh great, I've got at least another four days before I'm onboarded to do the work that you just paid us to do."

CISO in Software, 51 - 200 employees

Yeah, it's not perfect but at least we're all starting to think about it, and that makes me happy. The news of all these companies shutting down doesn't make me happy, but it needs more attention than what it's been getting in the past.

Content you might like

Our team will have the option to work remotely for all or part of the week42%

Our team will return to the office as soon as it is safe to do so32%

Our team will permanently work remotely13%

Our team has already returned to the office10%

Our team never left the office to work remotely1%

Undecided2%


202 PARTICIPANTS

969 views1 Comment

Autocratic3%

Transformational59%

Servant9%

Laissez-faire3%

Democratic9%

Coaching16%

Others0%


32 PARTICIPANTS

399 views

CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
40.9k views131 Upvotes319 Comments