“When it comes to zero trust security, CISOs need to develop and execute a plan that ensures consistent protocols and policies are implemented across the entire network and to any resource or application, no matter where that user or resource is located,” says Steve Mulhearn, Director of Enhanced Technologies, Fortinet in an exclusive interview with EnterpriseTalk.
ET Bureau: In today’s increasingly remote working environment, how can CISOs strengthen secure endpoints?
Steve Mulhearn: For most organizations, work will never be the same as it was before the pandemic with working from anywhere models being the reality for the foreseeable future. With the increase and onset of remote working, this in and of itself poses a new level of risk to corporate assets and sensitive data, unless managed properly. Further to that, the way businesses look at endpoint security solutions needs to change in order to provide better visibility into devices and their state, strong protection measures, remote monitoring tools, and threat remediation for endpoint devices of all kinds. CISOs need also to make use of every security asset that exists, such as implementing a zero-trust security strategy. Effectively this means shifting the security mind-set towards one that doesn’t trust anyone or anything attempting to gain access to its networks. With a tenfold increase in ransomware attacks, according to the latest FortiGuard Labs Threat Landscape Report, resolving security issues as they relate to increasingly distributed networks is crucial.
ET Bureau: What are the vulnerabilities and challenges CISOs encounter with Zero Trust? How can they effectively deal with them?
Steve Mulhearn: There is an all-too-common notion that implementing a zero-trust architecture requires a complete overhaul of an organization’s network. There will certainly be some heavy lifting required, but successful implementation is about having the right framework in place paired with the right tools to execute. It’s a cultural shift, which is often a bigger change than the technology shift. It involves a mindset and a commitment to changing how access is granted and how security is maintained across the organization.
When it comes to zero trust security, CISOs need to develop and execute a plan that ensures consistent protocols and policies are implemented across the entire network and to any resource or application, no matter where that user or resource is located. But an important aspect to consider is this network is likely made up of multiple clouds and on-premise environments with users migrating in and out of those environments. Cybersecurity must not hinder that. Yet, with each cloud provider offering different security services using different tooling and approaches, each cloud becomes an independent silo in a fragmented network security infrastructure. This is why visibility across all infrastructure is important. Trustless security measures don’t require a total network overhaul but do result in a stronger network shield and subsequently a reduction in risk.
ET Bureau: As the adoption of the zero trust model skyrockets, what steps can enterprises take to effectively implement them in their present cybersecurity infrastructure?
Steve Mulhearn: The first step in designing a zero-trust architecture is to determine who gets access to which resources based on job role and function. On top of that the devices themselves that people are using need to be properly secured. The implementation of an effective zero trust security policy must include secure authentication. Many breaches come from compromised user accounts and passwords, so the use of multifactor authentication is key. Requiring users to provide two or more authentication factors to access an application or other network assets adds an extra layer of security to combat cybersecurity threats.
Adopting the type of access management means that if a user account is compromised, cyber adversaries only have access to a restricted subset of corporate assets. It’s similar to network segmentation but on a per-person basis. Users should only be allowed to access those assets that they need for their specific job roles.
ET Bureau: Can you provide some suggestions that will enable the enterprises to increase the efficiency of the zero-trust model?
Steve Mulhearn: As technology has advanced, so has the interconnectedness of IoT ecosystems with the enterprise network and the entirety of the internet. This new connectivity and the expansion of IP-enabled devices mean IoT devices have become a prime target for cybercriminals. The majority of IoT devices are not designed with security at the forefront, and many do not have traditional operating systems or even enough processing power or memory to incorporate security features. Therefore, it is paramount to ensure that the devices people are using have been properly secured, and if these devices cannot be secured, then ensuring that they pose the minimum amount of risk to the business.
A benefit of zero trust is that it can authenticate endpoint and IoT devices to establish and maintain all-inclusive management control and ensure the visibility of every component attached to the network. For headless IoT devices, network access control (NAC) solutions can perform discovery and access control. Using these policies, organizations can apply the zero-trust principles of least access to not only users but IoT devices, granting only sufficient network access to perform their role.
Steve Mulhearn has over 13 years of experience in cyber security. He has a wealth of experience in providing cyber security advice to companies seeking to protect themselves from a number of threats. Steve is also an expert on IoT security and how companies can best protect themselves from emerging threats.