Skip Links

"Zero trust" is not paranoia; it's the smart approach to security

IT Best Practices Alert By Linda Musthaler, Essential Solutions, Network World
January 10, 2011 03:14 PM ET
Sign up for this newsletter now!

The CIO-level business angle on the latest tech

I recently had a one-on-one discussion with Glenn Hazard, CEO of Xceedium, Inc.  We talked about the changing nature of IT security and how, despite the fact that companies have spent heavily on perimeter defense, the investments in various technologies haven’t provided the hoped-for and needed high level of security.

Hazard points out that many companies now allow vendors, partners, outsource providers, and contractors inside their critical infrastructure, and this is changing the concept of who we trust. “In many cases, people we have never met are now responsible for providing systems administration for our enterprise infrastructure,” says Hazard. This is especially prevalent with government agencies that increasingly have engaged low-bid contractors to perform many critical IT functions such as network administration, configuration management and user provisioning. And, as more companies place computing resources in the cloud, it’s harder to know who is caring for those applications and devices.

“The contractors who are assigned the tasks of configuring and operating an organization’s IT infrastructure are a privileged community that can pose a risk to security,” says Hazard. The risk stems from unintentional actions, such as misconfiguring a device, as well as from intentional malfeasance, such as accessing confidential data. Hazard says it’s important to adopt a “zero trust” stance and ensure identity-based access to these systems. What’s more, the privileged user should only have access to the systems and resources he needs to perform his job.

The increasing complexity of compliance is also changing the security landscape. “New regulations and security mandates require continuous monitoring and enforcement of controls for users who access critical infrastructure or sensitive or regulated data,” says Hazard. “PCI, HIPAA, SOX, FISMA – name your regulation. They all require tight control over who is accessing what, along with the ability to produce audit trails and reports to prove the actions of privileged users.”

A third scenario that is adding to the complexity of IT security is the movement to new computing models. “Server virtualization and cloud computing stretch the boundaries of existing perimeter security technology,” says Hazard. Organizations are especially fearful of inadvertently allowing access to one virtualized application or system through another – a situation Hazard calls “leap frogging.”

Enterprise security officers are certainly feeling the pain of these issues. Among the challenges:
• How to enforce fine-grained access control on vendors, contractors and administrators (i.e., privileged users) without restricting their ability to do their jobs?
• How to contain these users so that they only have access and visibility to authorized resources?
• How to provide accountability and proof of compliance for mandated regulations?

Traditional access control solutions focus on giving users access to systems rather than proving their identity. Such a narrow focus can lead to cases of mistaken identity. Unfortunately, identity is one of several critical concerns legacy access control systems do not adequately address. Other key areas include entitlement (credential management), user monitoring, and auditing.

Linda Musthaler is a principal analyst with Essential Solutions Corporation.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News