Zero Trust (ZT) has been the source of hope and confusion for many organizations looking to improve and modernize their security program.
It is not a new concept, but President Biden’s 2021 Executive Order has recently highlighted it. The order cites Zero Trust, Software Supply Chains, and SBOM as critical pieces toward better securing American institutions and people against cyber attacks.
There is wide agreement that ZT concepts lead in a positive direction toward better security. Implementing it requires fundamental changes and raises questions: How does it really work? How do I apply it? What are its implications?
In this webinar, Jerry Hoff and Julius Musseau break down Zero Trust’s fundamental concepts and resources. Also, they looked at Zero Trust’s implications for Applications, SBOM and Software Supply Chains.
Watch it now:
Zero trust is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources.
ZT provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privileged per-request access decisions in information systems and services in the face of a network viewed as compromised.
Zero trust architecture (ZTA) is an enterprise’s cybersecurity plan that utilizes zero trust concepts and encompasses component relationships, workflow planning, and access policies. Therefore, a ZT enterprise is the network infrastructure (physical and virtual) and operational policies that are in place for an enterprise as a product of a zero trust architecture plan.
Strong Identity, Authorization & Data
Which effectively means
- Strong Authentication / Identity is paramount
- Identity based access control for all connections
- Encryption on all connections
- Consistent application of security rules
- Cloud and on prem workloads
- Remote and on prem workers
- Device Control / Inspection
- Deliberate access granting / strong governance
- Enriched monitoring
Base Pillars to build ZT
High-Level ZT Maturity Model
- Need for unified, centralized, overarching authentication
- Need for centralized authorization & decision-making capabilities
- Need for device information
- Updated SOC capabilities (EDR)
- Updated Training for Staff (design, implementation, deployment, production)
- Internal delegation (who oversees centralized auth, authz, etc…)
- Policy design, update, implementation (who ?)
- Updated Governance (Many more decisions)
Implications for Application Security
- Internally facing / externally facing paradigm breaking down
- Secure connections
- ZT is getting grouped together with new appsec regulations.