A significant majority, 61% to be exact, of websites are deficient in supporting essential features such as Single Sign-On (SSO), and MFA.
A zero-trust strategy if fully deployed, can reduce the cost of a breach by 45%
Photo by Alexander Shatov on Unsplash
Most people jump right at the Zero Trust Architecture. Having many protect surfaces is normal.
The basic 5 steps of implementing Zero Trust:
- Define the protect surface. (What DaaS elements do we protect)
- Map the transaction flows. (Understand how transactions flow to and from the protect surface and DaaS elements)
- Without skipping the first 2 steps…Build a Zero Trust Architecture (it will be custom-made for your protect surface and build controls as close to the protect surface as possible)
- Create a zero trust policy for layer 7 (application layer) to focus on identities ..the “who”.
- Monitor and maintain the network (log everything, gather, store and process the data to learn from it)
“Unmanageable apps” are synonymous with “non-standard apps”. They lack support for critical security features. Some also lack security APIs.
- 92% of Employees wanna keep the choice of which apps they want to use at work to themselves.
The potential risk: These apps’ identities are not managed by the standard vendor, instead the users themself manage their access. This puts the whole organisation at risk.
- Tech spending continually keeps going out of the IT department.
Other departments do not care much about security, they just wanna use app features and be done. They don’t know what is SSO, MFA, RBAC, SCIM, does the app use secure APIs?
Less and less manageable apps make their way to the workplace and they don’t support the standards that the organisation needs to maintain plus no support.
How to make it manageable?
- By identifying gaps between the identity provider for standard supported apps and unmanageable / non-federated apps.
- A comprehensive solution to address all the issues with nonstandard apps boils down to:
→ The ability to detect these apps and push users back to manageable standard ones to which the company is subscribed. dd
→ Extending Identity Provider capabilities to unmanageable apps.
→ Automating the support to streamline the process of putting best practices for these apps. As these apps are used by departments like operations, marketing etc… these apps and best practices are not the core competencies for those people.
→ Reporting activity.
Zero trust is a strategy that is totally agnostic to the tech used in the workplace. All users, devices, and network traffic are treated as potentially untrusted and are subject to strict authentication, authorization, and continuous monitoring.
It emphasizes the importance of identity verification, access controls, encryption, least privilege, and continuous monitoring as fundamental principles for securing resources and mitigating risks.
While implementing Zero Trust, organizations can leverage various technologies and solutions that align with their specific needs and infrastructure. These may include multifactor authentication (MFA), identity and access management (IAM) solutions, secure network segmentation, micro-segmentation, endpoint security, network monitoring, and behavioural analytics, among others.
References:
This post comes is originally arising from an informative webinar by Matthew Chiodi.