More Than Zero Trust: Zero Touch Privileged Access Management Solutions Save Time, Reduce Risk
By: Ali Gomulu
We have all found ourselves in a different world of work given the events that have defined 2020, and few professionals felt the pressure more than IT and OT teams. Charged with making sure employees could work remotely, remain productive, address their own challenges in the COVID-19 environment, and do all of this while securing devices, networks, applications, clouds and physical infrastructure in data centers was an enormous challenge, but one technology leaders rose to address.
While Zero Trust has been trending for the last few years, it has taken on new meaning given the chaos at the edge of the network and a virtual perimeter that has become a target for cybercriminals as attacks exploded.
Laptops were being infected, phones were being hacked, servers were being attacked, and data in transit and at rest attracted criminal elements. Beyond the intentional mayhem, given a lack of experience or awareness, despite training and communications alerting remote employees to the dangers of using public WiFi, of writing down their passwords, of sharing their passwords, and of using public platforms like Zoom, Dropbox, Messenger and hundreds of other “shadow IT” systems – unintentional damage can be severe in this environment.
Even the most current cybersecurity practices are not up to the challenges created by the complexities of modern networks, where multiple clouds, APIs connecting systems together, the use of personal devices in a “BYOD” model and more, make securing the perimeter a moving target.
Zero trust is officially here to stay.
A zero-trust security posture assumes that every device, every network, every application, every cloud, and every user is at risk. It is right for these times, and right for future times. Now the challenge becomes how to implement this without eroding productivity and end-user experience, and without breaking the bank.
The US National Institute of Standards and Technology (NIST) defines zero trust this way: “Zero trust is a cybersecurity paradigm focused on resource protection and the premise that trust is never granted implicitly but must be continually evaluated.”
The NIST goes further to say there is a distinction to be drawn between zero trust and zero trust architecture. “Zero trust (ZT) provides a collection of concepts and ideas designed to reduce the uncertainty in enforcing accurate, per-request access decisions in information systems and services, in the face of a network viewed as compromised.”
Zero trust architecture “is an enterprise’s cybersecurity plan that utilizes zero trust concepts and encompasses component relationships, workflow planning, and access policies.”
Zero trust security postures include policies, practices, software, and hardware that are orchestrated to create an entire zero-trust ecosystem.
Zero trust is a huge commitment – and one way to get there in a sustainable and cost-effective way is with zero touch.
Zero touch implies advanced automation of activities that were previously done manually, or at least partially manually. We have seen zero touch provisioning completely change the way we interact with devices, for example with smartphones that automatically register to the network, smart products that find the router and Internet access, and more.
How does this apply in the world of cybersecurity? Much of this has to do with multiple clouds and applications, locations and privileged access requirements as enterprises move more to the cloud for all the obvious reasons (cost savings, agility), then learn that securing the increasingly diverse world of computing and communications resources is harder than originally thought. The increase in hybrid and multi-cloud environments has increased complexity for cloud security.
Hybrid and multi-cloud enterprises need to integrate a variety of cloud services and system architectures: on-prem, IaaS, NaaS, PaaS, UCaaS, CPaaS, SaaS and more. As these transitions occur more frequently, these diverse and distributed environments also become increasingly complex, with limited network control, little or no integration across services, and a lack of qualified security personnel with domain expertise and training.
Managing network security processes has become a beast, with confusion regarding which teams “own” what – IT, OT, SecOps, NetOps, DevOps, and the latest CloudOps.
All these “moving parts” naturally cause human errors, when there are many different vendors, and different policies in different geographic regions. Human errors happen every day, as teams are overwhelmed with manual network changes, including logging into multiple consoles to manage different security processes and applications.
According to Gartner, through 2023, more than 99% of firewall breaches and 80% of cloud breaches will be caused by human-introduced misconfigurations.
The solution to securing these increasingly complex environments is to eliminate unnecessary complexity caused by manual network and security policy management processes, and that is where the promise of Zero Touch kicks in. Routine IT security tasks should be securely automated as much as possible to help reduce complexity and human-introduced issues.
Because of the way Ironsphere built our architecture for the modern, hybrid, agile world from the very beginning, we have long offered the benefits of true security automation through zero touch capabilities, automating network security life cycles by pushing policy and configuration changes to devices, for example, automatically updating passwords, and creating an intuitive experience for the IT and OT teams responsible for keeping enterprise assets protected.
Benefits of our PAM solution and adjacent offerings include:
- Simplification of operations and the ability to control security rules at the right “least privilege” levels
- Elimination of misconfigurations, removing manual change management processes that reduce or eliminate human error
- Productivity improvements, as repetitive tasks are automated so “techs” can spend time on more important issues
- Compliance continuity ensuring all policies are followed and can be audited with ease
We’ve cracked the code on combining Zero Trust with Zero Touch, and aligned these ideas into a cloud-ready, proven platform, built for the new normal – with the agility to support remote working, and the economics that make Ironsphere’s solutions more than feasible – forceful.
Please contact us if you would like to learn more.
Just as cyber risks evolve, the evolution of risk appetite frameworks is more active than ever. With more sophisticated adversaries, more digital transformation initiatives, more mobile works, ecosystem partnerships and connectivity to multiple clouds and services, enlightened management teams and their boards are updating their levels of “risk tolerance.”
Two-factor authentication has been around for decades – requiring an additional step between entering a username and password, for example, then entering a one-time security code sent to a mobile device – to access applications, systems and data.
Corporate information security governance is a foundation upon which organizations can build an increasingly significant part of their overall risk management platform. The foundation of a successful security governance program begins with strong upper-level management support, including the CEO, Chairman and Board Members.