John Michael, CEO, iStorage examines the role of Zero Trust at a time of growing cybersecurity concern and looks at the need for greater security measures to protect business data.
The security of IT systems and services remains a critical priority for businesses. As global relations between east and west remain fraught, the possibility of state-sponsored actors launching cyber-attacks as a way to bring down western infrastructure means that organisations should be doing all they can to safeguard digital assets. Complying with cybersecurity principles and seeking new ways to improve defences should be a priority. Yet, even with mounting evidence as to the threat we face, many companies are slow to act and risk having their data compromised.
Zero Trust is rapidly becoming the standard in security. Taking a Zero Trust approach involves removing the implicit trust given to individuals, tasks and computer systems. With the increasing sophistication of cyber criminality, and an alarming increase in attacks perpetrated as part of ransomware-as-a-service, this implicit trust only helps today’s hackers who can access a system and dwell undetected before making their move. Zero Trust, then, aims to address the overly generous level of trust present in many organisations’ IT infrastructure by always verifying digital activity to improve security posture.
Verifying access and the use of secure encryption
Adoption of a Zero Trust approach means that cyber defences never allow long-term access to information and continuously check that any access is in keeping with a strict set of policies. The US Government’s National Institute for Science and Technology (NIST) has set out guidelines that are regularly reviewed[1] and have now been adopted by the UK Government[2], among others. A Zero Trust IT architecture ensures companies exercise constant vigilance and reduce access to information for employees and computer processes down to a need-to-know structure. This way, permissions don’t linger, denying attackers the chance to spread widely around the network.
While every organisation works differently, there are general rules. If an organisation’s user credentials have been compromised, usernames and passwords can give away excessive levels of access to intruders which quickly becomes difficult to trace, amplifying the damage that can be done. With Zero Trust, an organisation needs to be clear on what kind of access its users need, mapping out their identities against the permissions they require. While this process represents an investment of both time and business resources, the protection gained is immense.
It’s important to consider the measures that businesses can take to further safeguard data by augmenting the Zero Trust approach. Secure encryption is one such method, enabling the security of key files to be enhanced as well as any communications that take place between client apps and servers. While many organisations rely on cloud providers who offer encryption services, the encryption key required to unlock the data is also often stored in the cloud, making it potentially accessible to malicious threat actors. For absolute data security the business needs to retain full control of the encryption key, and to ensure that it is stored separately to its data.
Mapping a secure approach to NIST’s seven tenets
NIST has distilled the philosophy of Zero Trust into seven core tenets. These tenets provide clear guidance in order to produce and implement a true Zero Trust approach. Encryption is a powerful means of protecting confidential data and helps businesses in building their Zero Trust processes. Encryption maps to several of the tenets as follows:
Tenet 1: All data sources and computing services are considered resources
– Encryption devices can be viewed as resources that, once connected, become part of the company network. Shifting away from wide network perimeters to a narrower focus on removing implicit trust and granting access only when required, ensures that the encryption device resource remains highly secure, helping to protect the wider network.
Tenet 3: Access to individual enterprise resources is granted on a per-session basis
– Encrypted data can only be accessed using a secure encryption module which has a unique randomly generated encrypted encryption key, enabling access permissions for each individual to be tightly controlled, with the enterprise retaining centralised management and control of each session.
Tenet 4: Access to resources is determined by dynamic policy, including the observable state of client identity, application, service, and the requesting asset
– With a remotely managed encrypted drive, any action that infringes policy can be rectified. For example, in the case of an individual who retains a device but is no longer an employee, data can be remotely erased by the IT department. In addition, geo-location and time-fencing parameters ensure that restrictions on where and when a drive can be accessed are set and enforced.
Tenet 5: The enterprise monitors and measures the integrity and security posture of all owned and associated assets
– The use of AES 256 military-grade encryption ensures that complete data integrity is maintained, even when brute force action is used, so the enterprise can be certain that its information remains secure.
With cyber threats evolving so rapidly, adopting a Zero Trust approach, and ensuring that the means to improve security map to as many of NIST’s tenets as closely as possible, will greatly improve an organisation’s security posture. Secure encryption, particularly when transferring and sharing information, and the regular backing-up of all company files, will ensure complete compliance with privacy and confidentiality laws. This severely limits the chances of a data breach and, ultimately, results in having safer data.
Learn more about data security:
https://istorage-uk.com/
About the author
John Michael, CEO, iStorage
After constantly reading about increasing data loss incidents, iStorage CEO and Founder, John Michael, saw this was clearly a growing problem with damaging consequences and identified a huge gap in the market to establish a business offering ultra-secure, easy-to-use and affordable data storage devices. Applying his 35 years’ worth of knowledge and experience within the data storage space enabled John to come up with ideas for products that would resolve such problems.
About iStorage
iStorage is the trusted global leader of award-winning, PIN authenticated, hardware encrypted portable data storage & cloud encryption devices. iStorage offers the most innovative range of products to securely encrypt, store and protect data to military standards; safeguarding valuable and sensitive data to ensure compliance with stringent regulations and directives such as GDPR, HIPAA, SOX, NRC, GLB and DHS Initiatives. Today, iStorage products are used by government, military, multinational corporations as well as consumers in over 50 countries, with the mantra that encryption is an essential commodity required by all. Learn more at https://istorage-uk.com
[1] https://www.nist.gov/publications/zero-trust-architecture
[2] https://github.com/ukncsc/zero-trust-architecture
