Which Zero Trust strategies have you found the most success with?

1.9k viewscircle icon6 Comments
Sort by:
vCISO and COO in Software4 years ago

There are a lot of people exploring PGP keys,like YubiKeys, to avoid multi-factor authentication (MFA). You just stick a YubiKey or another hardware key in your laptop to work. I've used those to a certain level of success. It’s similar to the RSA days when you had that little token which people would lose every week. For every token lost I had to go get a new one for $200. People are better about it than they were back then, and it's still an issue, but it's probably one of the most secure ways to access your environment.

Lightbulb on2 circle icon2 Replies
no title4 years ago

I've got a client mailing PGP keys out to us as we speak so we can access their stuff. I haven't had personal experience with them, but I will by next week. As far as deployment though, having them mailed to us is like, "Oh great, I've got at least another four days before I'm onboarded to do the work that you just paid us to do."

no title4 years ago

Yeah, it's not perfect but at least we're all starting to think about it, and that makes me happy. The news of all these companies shutting down doesn't make me happy, but it needs more attention than what it's been getting in the past.

VP IT & Ecommerce in Finance (non-banking)4 years ago

We assess the risk of each and every application. We analyze what type of risk each application poses in a risk matrix. We give each a score to determine what could be lost if we didn’t have access to it. For example, what are you going to lose if you can’t access salesforce.com versus what are you going to lose if you can’t access the enterprise resource planning (ERP) system? We manage risk that way.

Also, we're trying to get rid of any inessential information that is sensitive or personally identifiable in that segment. Nowadays even somebody's name and address is classified as personal information, so it's been challenging. But why do you need to have anyone’s social security number? Why do you need to have their bank account information? If you ever do need it, direct them to a certain site and obtain the information that way. Don't store it. So our zero trust approach is about risk management at the application level, at the data element level, and then securing applications based on the business risk they pose.

Lightbulb on1
Managing Partner in Services (non-Government)4 years ago

Locks are only for honest people. They keep honest people honest. The people who don't want to be honest will find a way past them. In the old days it was hard shell, soft center. If the shell was breached, that’s it, the hackers got anything they wanted. So to me, zero trust was building a bunch of smaller islands with shells around them and insulating them that way. Everybody was relying on SolarWinds. Ultimately, Microsoft's source code was compromised. Is Exchange 365 next? I don't know but it could be. You can't protect everything and you can't afford to protect everything, so what is it that you really need to protect? Focus on that, because some of the other stuff doesn't matter.

Lightbulb on1
Chief Information Officer in Finance (non-banking)4 years ago

Zero Trust, conceptually, is about borderless access with improved authentication. Maybe with a password, maybe passwordless. Perhaps with a user or device certificate. Might utilize a device health check or an IP address or device geolocation check. Zero Trust will use multi-factor authentication for sure. And Zero Trust can work either with or without a VPN.

Lightbulb on2

Content you might like

Eliminate Redundancy28%

Re-negotiate with vendors / take advantage of incentives46%

Shut down / pause what has been inactive12%

Update legacy and leverage emerging / more financially advantageous tools11%

View Results

Increased Headcount15%

Decreased Headcount32%

Altering of responsibilities or job skills33%

Enhanced productivity19%

Decreased productivity

Other

View Results