INTELLIGENT BRANDS // Enterprise Security
POWERED BY
The same controls exist for all types of users
including administrators, who are usually the
prime targets for any threat actor because
they usually have the ‘keys to the kingdom.’
The underlying control here is to limit lateral
access of end users into multiple applications
and compute resources, unless required for
any specified task.
Kamel Heus,
Regional Manager –
MEA at Centrify
The last step is to make internal
systems self-learning and adaptive
through Machine Learning. While
organisations need to be increasingly-
secure, continuously hindering employee
productivity can lead to an anarchical
internal work environment.
Hence, it is critical that internal cybersecurity
applications learn from user behaviour and
enable their productivity in near normal
situations but raise red flags whenever there
is a deviation from the normal.
Previous cybersecurity practices assumed the
integrity of a user’s credentials at face value
and chose to verify them subsequently. In
the new paradigm, any user is never trusted
until both their credentials and device are
rigorously verified.
Identity access management solutions
further grant the user access to the
organisation’s resources, but only as much
to complete their task, mandated by their
job role.
In this scenario, the employee or user is
never trusted to access resources of an
organisation that he or she is entitled to. It
is assumed that a threat actor can assume
the credentials of any user, at any time, and
must therefore be limited in their access to
an organisation’s assets and resources.
In short, the user is never trusted and
always verified during their access to an
organisation’s assets.
The zero trust security best practice is
applied to all types of users including the
end-user of IT, privileged user, supplier,
customer or partner. It also applies to all
types of resources and assets whether
through an application or compute
infrastructure resource.
80
INTELLIGENTCIO
The zero trust security best practice
uses a four-step approach
The first step is to verify the legitimacy of
the user beyond the credentials of their
username and password. Multi-factor
authentication using personal information,
or another known device of the employee is
the usual add-on practice.
The second step is to validate the endpoint,
or the device being used by the end user.
Once an end user’s device has been
enrolled and validated, the same device
is associated with the user to validate an
element of trust the next time it is used.
However, if the end user chooses to use
another device, from another location, then
the credentials of that device will need
to be authenticated and enrolled before
the end user can gain access into the
organisation using that endpoint device.
Once the user and his or her device has been
authenticated, the third step grants access
to an organisation’s assets, but only as much
as required for the task specified by their
role. Users can therefore access multiple
applications and compute resources only if it
is required for their role. The more critical an
application or a compute resource, the less
access granted to an end user.
Other learnings that emerge could help chief
security officers to moderate and adjust
security policies to balance organisational
concerns and employee productivity.
Organisations adopting a zero trust
approach will increasingly find that it is the
right path forward to rebuild their user and
resource access policies. n
WHILE
ORGANISATIONS
NEED TO BE
INCREASINGLY-
SECURE,
CONTINUOUSLY
HINDERING
EMPLOYEE
PRODUCTIVITY
CAN LEAD TO
AN ANARCHICAL
INTERNAL WORK
ENVIRONMENT.
www.intelligentcio.com