In IT Security: Never Trust, Always Verify
Author: Duncan Bowling
It used to be that firewalls were a good guarantee of safety. Users, devices and applications behind the wall were implicitly trusted to operate within an organisation’s IT environment.
However, a string of high-profile cyber-attacks has ushered in the wave of ‘zero trust’ firewall architectures.
The same shift is taking place in the cloud and managed service provider space. With cloud and service providers taking a larger role in enterprise strategies, finding trustworthy service providers is now a key concern for enterprises. Meanwhile, service providers are striving to prove they can be trusted.
But maybe, in all these cases, it really isn’t about trust; maybe what enterprises are looking for is proof.
Bridging the Trust Gap
With cloud use on the rise, organisations are steadily surrendering control and visibility of their overall IT ecosystems to providers. But enterprises are losing faith in the traditional ‘black box’ approach. A gap in trust between service providers and enterprises may be growing.
‘Trust, but verify’ is no longer enough. Today, it may as well be ‘never trust, always verify… then verify again.’
This verification process can be very thorough. With enterprises seeking confidence in their cloud providers, they’re also seeking transparency by asking a wide variety of questions. These fall into a few categories.
1. Data Access
- Enterprises want proof that access has been permitted according to policy. Service providers must provide detailed proof about access to customer systems and data, and be able to answer any of the following questions:
- Who is accessing the asset?
- Where are they connecting from?
- Is it a safe connection?
- Do they have privileges that are in line with their normal pattern of access?
- Are they accessing the asset within an expected time window?
- What did they do while they had access?
2. Data Location
As data moves from datacentre to datacentre at a service provider’s discretion, enterprises are beginning to ask for real-time and historic location-specific information concerning their digital assets. If a company asks ‘where is my data located right now?’, a MPS should have the answer.
3. Security Incidents
In the event of a security incident, a MPS should be able to answer:
- When was the incident detected?
- Who performed the analysis?
- How long did it take before triage began?
- What is the current state of investigation and remediation?
Regardless of the provider, enterprises report that they only see what is escalated to them, leaving the organisation in the dark for hours, days or even weeks after an event.
Zero Trust Model
Thanks to the ever-changing cloud industry combined with the ever-present threat of cyber-attacks, the ‘trust, but verify’ approach to IT is obsolete. Many enterprises are shifting strategies to a zero-trust model that explicitly distrusts everything and everyone by default – every user, device and application, including cloud and service providers.
Proven cyber-security controls are mandatory for enterprises. Make sure your Cloud MSP can provide real-time transparency about each bump in the road.
To find out more about IT security, why not register FREE for Digital Transformation EXPO Manchester!