CISO Summit No 25
In light of ever-increasing and more rewarding criminal activities, “Zero Trust” promises a solution. But what does it mean, and how to implement it? Zero
In light of ever-increasing and more rewarding criminal activities, “Zero Trust” promises a solution. But what does it mean, and how to implement it?
Zero Trust is perceived as a practical approach in today’s cloud-first world. But what does it take to move from a Zero Trust strategy to active implementation? Gartner recommends as best practices for building a Zero Trust foundation the following measures:
- Create a secure, standard federated identity management system
- Apply adaptive access for more granular resource and access control
- Roll out user-to-application segmentation (Zero Trust Network Access (ZTNA))
Today, a cloud-first strategy can be considered default and promotes building software directly in the cloud rather than building on-premises and migrating to the cloud. The goal is to create software faster and reduce the overhead associated with on-premises resources and cloud migration.
Platform advantages of a Cloud-First approach are flexibility, less overhead, more resources available without investments i.e. cost-effective upgrades, Improved recovery abilities, support options from the cloud provider, faster release cycles, and an integrated option for collaboration. And the business advantages embrace innovation, new business models, new composition and design of applications.
A central role in the cloud and Zero Trust plays secure identities: with two and more factors, we can nail down the acting identity and make them responsible for their actions.
The Zero-Trust-Modell (NIST 800-207) applies the following principles:
- Permanent control: access must be controlled at any time for any resources.
- Limitation of impact: by segregation, the impact of a compromise is limited. Later movement is not possible.
- Automated context detection and reaction: behavioral data are analyzed, and the contexts of all information technologies (Identity, End-device, Workload, etc.) are gathered and processed such that targeted responses are enabled.
These nice “promises” are compelling. First, however, we need to reflect on how to implement Zero Trust, which steps must be taken, and whether the security gain justifies investments and work effort. The more fine- grained we implement access control, the more work must be invested in the design and implementation of access control: What is the CISO’s experience? Where to cut the refinement of access control to limited efforts? And by when is the second line of defense (SOC) the better option?
We want to have an open exchange for creating a sharp picture of prerequisites for the success of implementing Zero Trust and having resilience success in defending our system against new forms of attack.
All Day (Tuesday)
Zunfthaus zur Schmiden, Zurich
Marktgasse 20, Zurich