Neil Thacker is EMEA CISO at SASE provider NetskopeWith more than 20 years of experience working in the information security industry. Neil recently spoke with us about Zero Trust and how companies can approach trust in this new remote work environment.
What is Netskopes philosophy regarding Zero Trust in the Cloud?
Zero Trust’s original principles focused on proving identity and device use. This shifts the central tenant of security policies away from trust but verify to verify trust. In practice, however that statement is problematically finite. It is permissive in nonstatic environments, but rigid inflexible in other environments.
Verify then trust means that you are guaranteed to be able to continue your business in perpetuity after verification. Permanent blocking is possible if the verification fails. The first option leaves a significant void in an organisation’s defences. The second will have a negative impact on business productivity.
Netskope believes what is needed in a cloud-first and perimeterless environment is something that is Continuously adaptable. In such a complex environment, the unambiguous verbiage of zero is not appropriate. To effectively grade permission grades, context is crucial.
Our approach is based on continuous adaptive trust. We use insight to issue and retract dynamic permits so that organisations can maximize business productivity without unnecessary exposure.
How has remote working changed the way companies approach this problem?
Traditional remote access VPN solutions have come under considerable pressure as organizations switched to remote work. Many remote access solutions fell apart because they were not made for cloud and relied upon workarounds and ad-hoc routing in order to allow remote access.
These challenges have led to companies switching to Zero Trust Network Access (ZTNA) which reduces the chance of malicious insiders and cybercriminals gaining remote access to networks, applications, and data in private or public clouds.
ZTNA can be delivered in cloud using a high capacity global network infrastructure. Remote access can be enabled to meet any dramatic increase in remote work requirements without slowing down access times or routing data unnecessarily.
How can you balance restriction and permission?
Security professionals love Zero Trust because it is unambiguously safe and secure. You can’t get hurt if you don’t trust anyone. Security professionals may joke about how much easier their jobs would be if they didn’t have to give access to employees. However, we must admit that granting access is just as important as restricting and blocking.
This means it is important to adopt a nuanced, context-driven approach, rather than rigid, inflexible rules.
This type of adaptive trust approach to continuous change has three key benefits:
- There are more ways to provide some access to the majority of security decisions, and to reorient them away from “no” towards “yes”, but with conditions
- Inappropriate access is restricted, reducing the fallout area should an account be compromised
- Security teams have visibility on sensitive data types, locations and movements
You can manage concerns about access by creating a more flexible and adaptable environment and communicate the reasons why restrictions were placed.
Can you please explain how SASE supports continuously adaptive trust?
Secure Access Service Edge (SASE), a relatively new architectural model, is used to secure a perimeterless IT real-estate such as the cloud. It is a great tool for Zero Trust projects because it gives you visibility and insight.
When companies adopt a SASE structure, it is possible for them to create an environment of continuous adaptive trusted across users, devices and networks. The SASE platform’s rich contextual insight eliminates the need for implicit trust and allows permission decisions to be made without relying on one piece of information (e.g. an IP address). A tailored set of parameters can be used to make decisions. These parameters are constantly being reassessed and built using multiple contextual elements that are intertwined (e.g. User identity + device ID + time + location + business role + data kind
SASE follows the data and not users or devices. As such, the resource is effectively determining the appropriate level for each interaction. A manager might need to have regular access to a certain data set at the quarter’s end to conduct regular analysis. However, they may not need access beyond this time period. Access to the SASE environment can be restricted to these parameters.
In today’s cloud environment, trust assessment at the beginning of an interaction is not sufficient. This trust assessment must take place not only during the initial interaction, but throughout an employee’s entire career. SASE is a way to continuously evaluate the context of every interaction and make adjustments to the type of access that is most appropriate in real-time.
How can organisations prioritize cloud security without compromising network performance and performance?
Security and networking teams are aware of the need for closer collaboration. Many are even looking to consolidate budgets and teams, adopting a SASE architecture (Secure Access Service Edge) to ensure that neither performance nor protection are de-prioritised.
These transitions are difficult. I find it helpful to agree on a set of metrics that measure digital risk, network performance and user experience from the beginning. This allows for a better consensus before making any procurement decisions. SASE can also provide greater visibility, which allows for better collaboration. This allows you to see the true business and provides a wealth of detail. This allows teams to identify service and policy opportunities, as well as identify emerging risks and develop strategies to manage them within a risk appetite.
What role does the workforce play in maintaining trust and adaptability?
Information security is something that every employee should be aware of. Security teams must ensure they are up-to-date with new threats and risks to the cloud, but we cannot expect employees without education to recognize and navigate the malicious efforts of malicious actors.
A state of adaptive trust can help mitigate the impact of a breach once it occurs. However, it only takes one error or misconfiguration passively to expose sensitive or regulated data. Malicious actors are working hard making their traps harder to spot for employees.
It is our responsibility equipping the workforce to protect data. The traditional message of don’t click on suspicious links is no longer effective. Raising awareness is the first step but the goal needs to be activation; when people feel accountable and responsible for security – reaching a point where every employee comes with a mindset of continually adaptive trust, then you are able to mitigate those threats before they even get to the security team.