Security for the Modern World
“Most organizations still take a perimeter-based approach to security,” Teju Shyamsundar, senior product marketing manager for Okta, explained to SummIT attendees. “They consider the outside network to be nonsecure and their internal network to be the most secure.”
That model, however, no longer makes sense due to the major shift to a cloud-based and mobile-first world, Lewis said. “This shift has dissolved the traditional network perimeter.”
“The actors are no longer coming at you head-on,” he said. “They’re coming at you from every different angle they can find.”
Lewis noted that no business today is immune from attack, citing banks as a particular example. He further explained that, while traditional attack methods might typically route through a device on the bank’s networks, today’s attackers can access a bank’s infrastructure through third parties, such as its processing center.
Adopting a zero-trust model in security — and taking advantage of tools such as asset inventory, user management and network zone segmentation — can help security teams to gain visibility into every user and device on the business’s networks. As Shyamsundar put it, it ensures that the right people have the right level of access to the right resources in the right context, all of which should be continuously assessed.
“You’re always going to have different groups doing different jobs,” said Lewis, “but there’s no reason they should have access to everything.”
And for businesses hoping to get started on their zero-trust journey, Lewis assured them that most of the tools and technologies they need are likely already in place in their organization.
Get Started with Zero Trust
Lewis made it abundantly clear that zero trust is not an end goal, but rather something that businesses should aspire to. “There’s no such thing as a zero-trust certification,” he said.
Furthermore, Shyamsundar informed attendees that a zero-trust process should happen in a phased approach, starting with identifying the problems the business currently faces and how removing those can help achieve business objectives. From there, organizations should evaluate the technologies that make the most sense for them.
“There’s not really a silver-bullet vendor that does all of zero trust, so that’s why it’s important to partner with different vendors,” said Shyamsundar. Lewis echoed that opinion in his presentation.
Something else that Lewis and Shyamsundar both agree on: A zero-trust approach to security, while introducing new technologies such as multifactor authentication for employees, should have minimal impact on the end user’s workflow.
To accomplish this, security teams should get buy-in from end-user employees. Lewis explained that security professionals need to level with employees and introduce this new security model as something that’s ultimately good for them, because, “99 percent of the time, they have no idea what we’re talking about.”
“Security should be an enabler for the business to do things safely and securely,” said Lewis. “We have to make sure that we, as security professionals, are not vilifying the users, but educating them.”
Check out our event page for more articles and videos from the CDW Protect SummIT.