John Kindervag, a principal analyst at Forrester, has developed an interesting approach to securing the extended enterprise. He calls it the Zero Trust Model which he describes in this article: Adopt Zero Trust to help secure the extended enterprise.
First, let me say I am not connected to Forrester in any way. I am connected to John Kindervag on LinkedIn based on a relationship from a prior company.
Second, the Zero Trust Model rings true for me in that the incident data available for review shows that we must assume that prevention controls can never be perfect. We must assume that (1) devices will be compromised including user authentication credentials and (2) some users interacting with systems will behave badly either accidentally or on purpose.
John uses the term Extended Enterprise to refer to an organization’s functional network which extends to (1) remote and mobile employees and contractors connecting via smartphones and tablets as well as laptops, and (2) business partners.
The Zero Trust Model of information security simplifies how information security is conceptualized by assuming there are no longer “trusted” interfaces, applications, traffic, networks or users. It takes the old model — “trust but verify” — and inverts it, since recent breaches have proven when an organization trusts, it doesn’t verify.
Here are the three basic ideas behind the Zero Trust Model:
- Ensure all resources are accessed securely – regardless of location
- Adopt the principle of least privilege, and strictly enforce access control
- Inspect and log all traffic
Here are Kindervag’s (Forrester) top recommendations:
- Conduct a data discovery and classification project
- Embrace encryption
- Deploy NAV (Network Analysis & Visibility) tools to watch dataflows and user behavior
- Begin designing a zero-trust network