When everyone worked in the same building, the typical CISO job was fundamentally about enablement and monitoring — as Shannon Johnston, Practice Lead at Core, reflected: “They had to think about patching anti-virus malware, but when people worked within those 4 walls, it more about can people do their jobs, is anything blocking them… Because the network itself was secure within that environment.”
Today though that work is being done from anywhere, on a diverse range of devices and networks and even applications, which creates a whole world of new vulnerabilities. The perimeter suddenly has an infinite surface area. The only effective solution is to adopt a zero-trust mindset.
100% authentication, every session
“It’s a multi-layered approach, which starts from the position that you deny every connection, at every point, unless verified”, Core Client Solutions Director, Eamon McGann (pictured, above), explained. “You can’t take a perimeter-based view of security when your boundaries are all over the place. So you have to adopt a really strong data governance and compliance strategy to protect your data and assets.”
“When we talk about zero trust we need to satisfy a range of conditions,” Johnston elaborated. “Firstly we need to verify the person explicitly, using telemetry and all the other signals that we can. Are they using a corporate device, BYOD?” A username and password is definitely no longer enough, and authentication will take place on multiple levels.
“Am I in the office, working from home, or the internet café down the road? Am I in an airport lounge? … All these different signals and bits of information enable us to verify explicitly who that person is, what they’re doing, and what the environment looks like — it means using all those signals in cohort.”
As McGann continued,
“There are so many layers to zero trust, but functionality like biometric identification means we’re protecting the user before they even know about it”
Secure but simple
This is important, because of the age-old conflict between security and UX, that has led to passwords written down on post-it notes and endless user-generated risks. Locking it down from the organisational end as much as possible ensures that the data and communications can only be accessed by approved devices using an acceptable range of applications in the most secure way and that every login is viewed as potentially hostile — until clearly proven otherwise.
It’s a 24-7 dynamic process, because of the way we work together now. If we’re remote, we often don’t realise when we connect to a different mobile network, which could have a very different security level, and therefore changes the risk profile of that session. “Nothing’s really changed, except you walked down the path in your garden”, explained Johnston. “But suddenly you’re on a public network. So if you were accessing for example the HR application, we might want to flag that or block it, because although the risk is low, it could be intercepted.”
Core can support the implementation of a policy which specifically respects the qualitative risk of each data asset, and combine it with the intelligence of the Microsoft network, to create an environment which is appropriately vigilant without being intrusive and disruptive.
Protecting the weakest link
This functionality has been available within the Microsoft toolkit for a while, but it has taken a change in the threat landscape to encourage many to explore its potential and implementation.
But as Johnston concluded, with a timely reminder, the human users are always the weakest link anyway.
“It comes back to the people. If people are not educated, and they’re not trained on how to deal with these things, companies can still be susceptible to very simple mistakes”
“So add all these extra bits, yes, absolutely. But keeping it simple, keeping the users informed and educated is equally important.”
Get to the heart of your security strategy with Core’s complimentary discovery session
Core’s complimentary, no-obligation two-hour Discovery Session is designed to help you identify key priorities and areas for improvement in your technology strategy, with a specific focus on security & compliance. You’ll speak to Eamon McGann, Core’s Client Solutions Director, who has over 30 years of industry experience, and Kat Greenan, Core’s resident Microsoft Solutions Specialist (pictured, above).
Together, they can help provide clear and pragmatic insights into the business value of, and operational considerations for, a successful Microsoft-technology enablement plan.
Book your Two Hour Discovery Session today
