POWERED BY
INTELLIGENT BRANDS // Enterprise Security
The new security mandate:
Never trust, always verify
/////////////////////////////
Organisations are
coming to realise that
merely a user name and
password are not enough
to secure their cyber
existence. And as Kamel
Heus, Regional Manager –
MEA at Centrify explains,
a ‘zero trust security
approach’ is increasingly
gaining acceptance.
year, yet we continue to read headlines
validating that companies can’t address
the threats fast enough, regardless of
the growing list of vendors and solutions
available. What’s even more surprising is
that less than 10% of that spend is allocated
for identity and access management. The second step is to validate the
endpoint, or the device being used by the
end user. Once an end user’s device has
been enrolled and validated, the same
device is associated with some the user to
validate an element of trust the next time
it is used.
Repeated mega breaches in cybersecurity
have forced experts and vendors to relook
at the basic underlying best practices and
assumptions that have been adopted in the
past and question their viability. However, if the end user chooses to use
another device, from another location, then
the credentials of that device will need to be
authenticated and enrolled before the end
user can gain access into the organisation
using that endpoint device.
The revolutionary concept of zero trust
security assumes that the threat actor may
be already within an organisation and is
posing as an employee. Or alternatively, has
assumed the credentials of an employee.
The concept of zero trust seeks to limit the
opportunity of such an internal threat actor
to use the assumed employee credentials
and breach other parts of the organisation.
Previous cybersecurity practices assumed the
integrity of a user’s credentials at face value
and chose to verify them subsequently. In
the new paradigm, any user is never trusted
until both their credentials and device are
rigorously verified.
Kamel Heus, Regional Manager –
MEA at Centrify
T
he concept of zero trust is as profound
in cybersecurity as the sweeping
transformation generated by the arrival
of cloud, mobility agility and availability.
Gartner projects that worldwide security
spending will reach US$96 billion this
www.intelligentcio.com
Identity access management solutions further
grant the user access to the organisation’s
resources, but only as much to complete their
task, mandated by their job role.
The zero trust security best practice
uses a four-step approach
The first step is to verify the legitimacy of
the user beyond the credentials of their
username and password. Multi-factor
authentication using personal information,
or another known device of the employee is
the usual add-on practice.
Once the user and his or her device has been
authenticated, the third step grants access
to an organisation’s assets, but only as much
as required for the task specified by their
role. Users can therefore access multiple
applications and compute resources only if it
is required for their role. The more critical an
application or a compute resource, the less
access granted to an end user.
The last step is to make internal systems
self-learning and adaptive through Machine
Learning. While organisations need to be
increasingly secure, continuously hindering
employee productivity can lead to an
anarchical internal work environment.
Hence, it is critical that internal cybersecurity
applications learn from user behaviour and
enable their productivity in near normal
situations but raise red flags whenever there
is a deviation from the normal.
Other learnings that emerge could help Chief
Security Officers to moderate and adjust
security policies to balance organisational
concerns and employee productivity.
Organisations adopting a zero trust
approach will increasingly find that it is the
right path forward to rebuild their user and
resource access policies. n
INTELLIGENTCIO
71