November 7, 2018
Zero Trust

What Is Zero Trust and Why Is it So Important?

Corey Williams – Idaptive
Corey Williams Vice President, Marketing

Zero Trust.

We’re going to be talking about this a lot. Zero Trust security.

Zero Trust Security – Idaptive

Zero Trust.

We’re going to be talking about this a lot. Zero Trust security. is a foundational element of Idaptive — a philosophical approach to security that we think is essential for every business, organization or entity that has a presence online.

Simply stated, Zero Trust works on the assumption that you can’t separate the “good guys” from the “bad guys.” Traditional approaches that focused on establishing a strong perimeter to keep the bad guys out no longer work. Resources (data, applications, infrastructure, devices) are increasingly hybrid or outside of this perimeter entirely. With Zero Trust, no actor can be trusted until they’re verified. It’s a holistic, strategic approach to security that ensures that everyone and every device granted access is who and what they say they are.

In today’s world, data is spread across an almost infinite number of services, devices, applications and people. It’s not enough to slap a password onto something or set up a firewall or some other kind of perimeter. During his presentation at this week’s Zero Trust Summit, Forrester analyst Dr. Chase Cunningham repeatedly told the audience that in the age of digital transformation, perimeters don’t exist and old approaches to security don’t stack up against the sophistication of today’s threats.

“People will say, ‘We’re doing things. We’re working on it,’” Dr. Cunningham said. “Well, guess what Target’s strategy was before the breach? Protect, detect, deter, respond. Guess what OMB’s strategy was before the breach? Protect, detect, deter, respond. That’s not a strategy. Those are things that you do. Those are pieces of it.

“If you stand up and say, ‘Our security strategy is to work towards a Zero Trust infrastructure.’ There it is,” he continued. “One sentence. Everyone can get behind that.”

The Three Elements

Zero Trust security is actually pretty simple. It is grounded on three core principles: 1. Verify every user; 2. Validate every device; 3. Intelligently limit access. This is, of course, easier said than done; but for organizations that adopt Zero Trust as a foundational security philosophy, it simply becomes how security happens.

Verify every user

Making sure people are who they say they are may sound obvious, but it often goes wrong when organizations rely on only one verification method like single sign-on. Single sign-on (SSO) has a lot of security advantages: users don’t have to type a password each time they want to use or access something, and it cuts down on the number of passwords users have to manage. But what if that one credential gets stolen, or someone doesn’t lock their computer when they get up from their desk? In that case, SSO leads to a security gap.

To avoid this problem, SSO needs to be balanced with other technology such as multi-factor authentication (MFA). While MFA might conjure images of redirection runarounds or fumbling with physical keys, the technology has actually gotten a lot easier and smarter in the last few years. And when combined with SSO, it creates a tight web of security around an organization’s network… but it is still not tight enough. Ultimately you need to balance security and end-user experience — it may still be too much for end users to be constantly prompted for additional factors of authentication.

That’s where a bit of intelligence and context in the form of behavior-based access comes in. Using machine learning and intelligent technology, organizations can start to learn the normal behavior of their employees — and when they detect a deviation from that baseline, can block an employee’s access until they go through another round of authentication.

Validate every device

Nowadays, nearly everyone has their devices locked down with a password of some sort, and that is unequivocally a great thing. Remember, however, that passwords are only one piece of the puzzle. To ensure real safety, devices must also have adaptive MFA to go along with that password.

When MFA-supported passwords are combined with some level of device management, the right policies are put on the device and locked in place, and the context of the device (where it’s used, what browser it has, etc.) is always understood, then it’s safe to make an access decision.

Intelligently limit access

The last element to Zero Trust is understanding who uses an organization’s resources. Ask yourself: Who are we granting access to? What do they need to accomplish their job and how are we managing that? Make sure that on day one, a user is productive, they have access to the accounts they need, and devices are set up with the clients they need. When they change roles, their access likewise changes to fit their new job, or if they leave, those privileges are automatically revoked.

Most importantly, it is essential that all these capabilities are integrated and work together so they can be applied in real time without adding delays to access decisions for APIs, or for users who are logging onto applications.

The Zero Trust Advantage

So what happens when organizations adopt a Zero Trust strategy? Beyond protecting valuable data by reducing the chance of a breach, there’s also a bottom line benefit. Studies have shown that Zero Trust approaches result in 50 percent fewer breaches and that companies spend 40 percent less on technology because everything in integrated.

But most importantly, a solid security strategy creates an organization that gets things done. According to a recent Forrester study, companies that adopted Zero Trust were twice as confident in their ability to bring new business models and customer experiences to market. Preventing attacks is great, but making products and experiences that customers love is what makes a company great.

That’s Zero Trust.

Corey Williams

Corey Williams – Idaptive
Corey
Williams
Vice President, Marketing

Corey Williams is the Vice President of Marketing & Strategy and lead evangelist for Idaptive, leading all marketing functions, as well as market development and strategy. Corey served as the Senior Director of Products and Marketing for more than a decade at Centrify where he was the visionary behind, and the first product manager of, the set of products that were ultimately spun out of Centrify to become Idaptive, including leading SaaS services for Single Sign-on (SSO)Adaptive Multi-factor Authentication (MFA)endpoint and mobile context, and User Behavior and Risk Analytics (UBA).

 While at Centrify, Corey defined and brought to market seven net-new product offerings directly contributing to the growth of the existing customer base from less than 400 customers to over 5000 customers. He also led efforts with major industry analysts that directly resulted in Centrify being named as a leader in all of the major analyst reports including the Gartner Magic Quadrant and Critical Capabilities reports for Access Management, Worldwide; Forrester IDaaS Wave; KuppingerCole Cloud MFA Leadership Compass; and Network World Clear Choice Winner for Single Sign-on Solutions.

Corey is a frequent speaker and commentator on IT Security and IT Management. He has authored several publications, including “Zero Trust Security for Dummies”, a leading guide for enterprise managers.

Prior to Centrify, Corey led products and marketing for SpikeSource (acquired by Black Duck Software), Syndera (acquired by Tibco), and Journee Software (acquired by Initiate Systems). Earlier in his career, he managed pre- and post-sales consulting for Active Software (acquired by webMethods). 

Corey holds degrees in Mathematics (BS) and Computer Science (BS) from New Mexico State University, as well as an MS in Engineering and an MBA from San Jose State University. 

CHAMELEON-LIKE SUPERPOWER

If Corey could have any chameleon-like superpower, it would be the chameleon's tongue, which is ridiculously fast. Some of the world's smallest chameleons have the world's fastest tongues. In automotive terms, the tongue could go from 0 to 60 miles per hour in a hundredth of a second! “I would be able to complete webinars in 4.5 seconds instead of 45 minutes!”