Aug 24 2023

Google AI in Workspace Adds New Zero-Trust and Digital Sovereignty Controls

Category: AI,Zero trustdisc7 @ 1:48 pm

Google announced security enhancements to Google Workspace focused on enhancing threat defense controls with Google AI.

Image: Urupong/Adobe Stock

At a Google Cloud press event on Tuesday, the company announced Google Cloud’s rollout over the course of this year of new AI-powered data security tools bringing zero-trust features to  Workspace, Drive, Gmail and data sovereignty. The enhancements to Google Drive, Gmail, the company’s security tools for IT and security center teams and more are designed to help global companies keep their data under lock and encrypted key and security operators outrun advancing threats.

Jump to:

The Executive Guide to Zero Trust: Drivers, Objectives, and Strategic Considerations

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Digital Sovereignty Controls


May 20 2023

3 tips to accelerate zero trust adoption

Category: Zero trustdisc7 @ 10:51 am

Zero trust adoption is beginning to accelerate as networks get more complex. Gartner predicts that by 2026, 10% of large enterprises will have a comprehensive, mature, and measurable zero-trust program in place (compared to just 1% today). But adoption has been slow; according to a 2023 PWC report, only 36% have started their journey to zero trust. What’s the hold up?

Integration and configuration at scale for zero trust is no small feat. From managing user experience (UX), to resource constraints and the cultural change required for adoption, zero trust can just be challenging.

Historically, zero trust focused on networks and identity access but, over time, it has become a comprehensive approach to cybersecurity that requires a more holistic view of an organization’s IT infrastructure. Where zero trust previously rejected the notion that endpoints had a role, because the “perimeter no longer mattered,” those working through implementation now see that endpoints are a crucial component to a robust zero trust strategy.

While every enterprise is different, there are some common roadblocks that slow the adoption process. In this article, we’ll offer up some tips to overcome these challenges.

Zero trust adoption tips

Most organizations’ IT infrastructure comprises two crucial components – networks and endpoints. Think of the network as roads and the endpoints as the destination for attackers. These can include servers, virtual machines, workstations, desktops, laptops, tablets, mobile devices, and more. And they run multiple applications, store and manipulate data, connect to other data sources, etc.

Cybercriminals strive to attack and control these endpoints when diving deeper into enterprise networks. From there, they can gain additional credentials, move laterally, maintain persistence, and eventually exfiltrate data. Because these endpoints are in constant use (and their numbers are growing), it can be challenging to secure them. Layer on top misconfigurations, which accounts for approximately a quarter of endpoint compromises, and it’s clear that security teams need a more holistic security framework.

Let’s dive into the tips. While this is not a comprehensive list, hopefully it will help you and your team overcome some of the initial heartburn associated with zero trust adoption for endpoints.

1. Break down information silos and consolidate technologies where you can – Organizational structures that don’t support deep collaboration between IT and security will only exacerbate concerns about increased attack surfaces and worsen challenges around compliance requirements. For zero trust success, teams must break down information silos and share data across teams and solutions. Beyond the zero trust benefits, consolidation can significantly reduce the cost of maintaining multiple systems and greatly improve efficiency by reducing the complexity and redundancy of numerous tools for a single task.

2. Maintain a comprehensive asset inventory and get complete visibility of endpoints – You must know what you have to protect it. While this may seem unnecessary for zero trust approaches where the first rule is to not trust anything, knowing what is under management by your organization versus personal devices enables you categorize how you validate and verify the trustworthiness of the endpoint. Now, this can be difficult, with challenges around complexity, lack of integration, human factors, and cost. But with on-demand asset discovery and real-time asset inventory, you should be able to achieve comprehensive visibility, giving you a clearer idea of endpoints that are actively managed versus devices that should be vetted more carefully.

3. Utilize automated policy-based controls for detection and remediation across asset types – Using staff to manually manage and enforce controls relies on human oversight and intervention to detect and remediate security issues. This is clearly no longer sustainable (especially as an organization scales), as evidenced by the increasing number of cyber-attacks and data breaches. Policy-based rules driven by automation can ensure security controls are consistently and uniformly applied across all assets and user activities. This can also eliminate manual tasks, such as requiring end users to accept a patch or update and restart their machines.

This kind of automated policy enforcement should also help fuel the policy enforcement or trust evaluation engine needed for zero trust implementations. With trusted policy-based profiles on hand, a trust evaluation engine can “ask” questions and assess a device or asset’s security posture. For example: Does it have a firewall on? Does it have the latest approved patches installed? Have any unknown programs been installed recently that have not been scanned with a vulnerability scanner?

Conclusion

As more and more organizations move to implement zero trust, it’s crucial to understand some of the key challenges associated with endpoint security. It requires a shift in mindset, an understanding of the requirements, and a set of tools that can help achieve a successful framework.

Tailoring the zero trust principles to meet your enterprise needs will help accelerate your journey. And hopefully these tips will help. To learn more about practical zero trust implementation guidance, check out some recent research by the National Institute of Standards and Technology and the National Cybersecurity Center of Excellence.

InfoSec tools | InfoSec services | InfoSec books

Tags: zero trust adoption


Feb 12 2023

The Comprehensive Playbook for Implementing Zero Trust Security

Category: Information Security,Security playbook,Zero trustDISC @ 2:31 pm

Previous posts on Zero trust

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: Zero Trust Security


Dec 01 2022

Zero Trust Essentials eBook

Category: Zero trustDISC @ 11:43 am

Zero Trust Security: An Enterprise Guide

Tags: Zero Trust Essentials, Zero Trust Security


Oct 20 2022

Protecting Your Cloud Environments With Zero Trust

Category: Zero trustDISC @ 8:27 am

When moving to a cloud infrastructure, businesses should be looking toward a Zero Trust strategy. This security model protects the cloud from the inside out using the principle of least privilege to grant secure access to any company resource. Eliminating implicit trust helps prevent cloud-related data breaches and provides a security shield for remote workers that use BYOD (Bring Your Own Devices) to access corporate resources.

Zero Trust Prevents Compromised Credentials

Cloud environments are dynamic and require a lot of security, especially in a public cloud, where all data might not be protected and phishing attacks run rampant. In fact, 80% of cloud security incidents are due to stolen or lost credentials. Just earlier this year, the Lapsus$ ransomware group managed to breach a third party provider’s Okta authentication and even published screenshots for all to see.

This is where Zero Trust comes into the picture. Zero Trust helps mitigate unauthorized access in cloud environments by enforcing granular access to each user or device attempting to access a workload or resource. This added measure is essential for securing remote workers and third parties from any potential data leaks.

Organizations must adopt Zero Trust principles when building on cloud architectures. Here’s how your organization can successfully leverage the principles to keep cloud environments safe.

5 Ways Zero Trust Secures Cloud Environments

Always Assume a Threat

With traditional security methods, there’s no cause for concern until a threat is detected. And by that time, it’s too late. Zero trust automatically assumes by default that everyone using the network is a threat until verified.  

Continuous Authentication

Following the ‘never trust, always verify’ motto, users will be continuously asked to verify themselves. Not on a one-time basis, but each time they require access to a cloud resource. Multi-Factor Authentication (MFA) technology is an integral component of a successful Zero Trust strategy. 

Device Access Control

Zero Trust also monitors how many different devices are in the network as well as those trying to gain access at any given time. A proper Device Posture Check will ensure that every device is assessed for risk without any exposure to the network.

Microsegmentation

Microsegmentation is another way that Zero Trust protects cloud environments. It divides the infrastructure into smaller zones that require additional verification for access. This is also called minimizing the blast radius of a threat. 

Lateral movement can occur when an attacker infiltrates the outside barrier and moves within the network. Even when the entry point is discovered with a traditional security method, it can be difficult to detect the threat. During the time it takes to find them, they can move laterally and exfiltrate data. Every user in the network is required to be verified when they enter different zones, drastically reducing the possibility of a breach.

Logging & Monitoring

Having several methods of verification means nothing without constant monitoring. Inspect and log all traffic to identify any suspicious behavior or anomalies. Analyzing the log data can help quickly identify threats and improve security policies

Protecting Your Cloud Environments With Zero Trust

Zero Trust Security: An Enterprise Guide

Zero Trust

Tags: Zero Trust, Zero Trust Security


Mar 14 2022

Building trust in a zero-trust environment

Category: Zero trustDISC @ 9:32 pm

A recent study by MITRE and DTEX revealed that despite years of industry efforts against insider threats, there isn’t enough data – or systems advanced enough – to spot all malicious behavior. As companies work to build a corporate culture of cybersecurity, they’ve begun investing in zero-trust architectures to proactively cover all attack surfaces.

While this is a step in the right direction, this security method also has the potential to raise fear and generate negative responses from employees. This is especially a concern amid the Great Resignation; countless employees are leaving their jobs due to issues centered around work culture that no longer meets the demands of the modern employee. If taken as a sign of mistrust and poor faith, zero-trust security could spread resentment and demotivation among employees, potentially accelerating turnover rates and bringing the Great Resignation to its peak.

How can companies effectively navigate zero trust without creating friction among employers and employees? And how do they get there without the luxury of trust-building exercises in the close quarters of an in-office environment?

The thing is, zero trust doesn’t mean seeding mistrust throughout an organization’s networks. Companies shouldn’t have to rely on technologies alone for protection. Security is best applied when it’s a team effort. In other words, successful zero trust relies on a culture of transparency, communication, and consistency across the board. When appropriately understood and applied, these efforts can create a sustainable zero-trust work environment. So, how do we get there?

Create a culture of transparency and communication

zero

Zero Trust Networks: Building Secure Systems in Untrusted Networks

Tags: Zero Trust, Zero Trust Networks


Aug 18 2021

Adopting Zero-Trust for API Security

Category: Access Control,App Security,Zero trustDISC @ 11:56 am

Why Use Zero-Trust for API Security

Think of APIs as the new network; interconnected in complex ways and with API interactions happening both within and outside  of the organization.

“Public-facing APIs—for example, consumer banking—are usually a key area of focus when it comes to zero-trust,” said Dunne. “This is due to the obvious risk exposure when APIs are documented and made available on the public internet.”

However, the larger risk is found in private and internal APIs, because there is a common assumption that since they aren’t documented or found on a public network, they aren’t exposed.

But as threat actors become more sophisticated in their search for and discovery of private APIs, there is increased risk of the bad guys gaining access to massive amounts of sensitive data. Private APIs need the same layers of protection as public-facing APIs.

“APIs are, by definition, atomic in nature—meaning they can be invoked independently,” explained Setu Kulkarni, vice president, strategy at NTT Application Security in an email interview. “That creates a real challenge for securing these APIs.”

Given that, Kulkarni added, a critical consideration for implementing zero-trust in APIs is to ensure that there is appropriate access control built into the API implementation. Every API function call requires not just authentication but also authorization. Also, adding zero-trust around session validation helps to prevent unintended data leakage.

Integrating Zero-Trust in APIs

API Security in Action

Tags: API Security


Aug 11 2021

Zero trust: Bringing security up to speed for the work-from-anywhere age

Category: Zero trustDISC @ 1:54 pm

The first step toward a zero-trust environment consists of establishing a zero-trust network architecture that covers all aspects of users interacting with corporate internal and cloud-based IT resources, wherever the users or the resources might be located.

This requires an evaluation of the context of user access, combined with the creation of risk profiles. Based on these risk profiles and continuous context analysis, the security team can implement and enforce centralized security policies – independently from any old-fashioned network firewall perimeter.

Establishing context entails checking numerous aspects such as the IP address and geographic location, device status (corporate-owned, privately owned), OS status (jailbroken/rooted or secure), patch status, and so on, as well as verifying digital certificates for identity and access management.

The constant evaluation of all this data is then matched with predefined granular policies. For example, businesses might determine that employees can only access sensitive resources if the device is fully secured, and the user is identified via multi-factor authentication. Otherwise, a pop-up notification will inform the employee how to proceed, while the device might be put into quarantine until its desired state is achieved.

Tags: Zero Trust Security


Aug 05 2021

How to build a zero-trust cloud data architecture

Category: Zero trustDISC @ 10:09 am

The cloud broadens an organization’s attack surface to the point that CISOs must guard data across multiple clouds, tools, and on-premises locations. This further complicates their main objective of minimizing the risk of unauthorized data access and makes their job of ensuring information assets and technologies are adequately protected an arduous task.

Even worse, traditional security and governance models are ineffective for cloud architecture, partly because each cloud vendor has unique mechanisms for accessing data, which increases the chance of administrators making costly mistakes.

Conventional, centralized, or dictated approaches secure data by routing requests, access, and policies through IT – which limits the speed that a user could leverage the information. The array of clouds and cloud resources requires a more fluid approach to secure access.

Decentralized methods don’t work either, because business units have too much freedom in implementing policies about how data is used and with what tools. This creates silos and conflicts across business units and platforms, as cloud architectures need more uniformity across settings, tools, and departments.

The delegated governance model is becoming the more appropriate style, as it is ideal for streamlining multi-cloud security by combining the best of the above methods. It leverages IT’s uniform, top down policies (customized by line of business data stewards) and is based on IT’s provisioning of a secure platform for the business to access their tools of choice. The platform then distributes these central policies—configured by data stewards—into any repository or tool across clouds and on-premises for zero trust security.

Achieving multi-cloud security

cloud complexity

Tags: zero-trust cloud data architecture


Jun 27 2021

7 keys to evaluating zero trust security frameworks

Category: Zero trustDISC @ 11:02 am

Zero trust as a framework for securing modern enterprises has been around for years, but is drawing renewed attention with the increase in cyberattacks. The United States government is pushing for zero trust implementations across all its agencies, and more vendors are jumping on board the already rolling zero trust product bandwagon.

The mix of user need and vendor hype makes zero trust frameworks especially difficult to evaluate. Can a given zero trust solution stand up to close scrutiny? Buyers need to define and test an impartial, balanced set of complex criteria before making their purchase decisions.

Factors to consider include scalability, advanced patch management, and least-privileged access, and that is just the beginning. As automated AI-based network and application discovery gains traction, buyers must be prepared to assess the effectiveness of AI software, which is no small task.

Zero trust meets mega hype

Zero Trust security has become a major industry trend, and yet there still is uncertainty about what it means. Zero Trust is about fundamentally changing the underlying philosophy and approach to enterprise security―moving from outdated and demonstrably ineffective perimeter-centric approaches to a dynamic, identity-centric, and policy-based approach.

Making this type of shift can be challenging. Your organization has already deployed and operationalized enterprise security assets such as Directories, IAM systems, IDS/IPS, and SIEM, and changing things can be difficult. Zero Trust Security uniquely covers the breadth of enterprise security and IT architectures, providing substantive architectural guidance and technical analysis with the goal of accelerating your organization‘s journey to Zero Trust.

Zero Trust Security: An Enterprise Guide

Tags: evaluating zero trust security frameworks


Jun 11 2021

The 6 steps to implementing zero trust

Category: Zero trustDISC @ 10:03 am

In their minds, this security approach can only be applied to fresh, or “greenfield,” environments – and even there organizations are hesitant as they may believe security will hinder business agility.

The true reason for why businesses are hesitant when it comes to zero trust is due to a lack of understanding of the process and the unfortunate influence of the myths stated above. Forrester’s zero trust framework gives a clear overview of the seven pillars that provide a comprehensive zero trust strategy: data, people, workloads, devices, networks, automation and orchestration, and visibility and analytics. Even after seeing the different elements set out, businesses may feel overwhelmed by the number of areas that can be linked with zero trust – it’s the classic “boiling the ocean” problem.

But what if companies instead took a more incremental and agile approach where benefits are realized at each stage along the way? This approach not only results in a regular and measurable improvement in security posture, but it also facilitates the integration of further capabilities throughout the process.

Implementing zero trust

Here is a simple, six-stepped, repeatable process that can help organizations adopt a zero trust security model.

Tags: Zero Trust Security


Apr 27 2021

The hybrid office will create great opportunities—for companies and cybercriminals

Category: Information Security,Open Network,Zero trustDISC @ 10:22 pm

Spring is always a time of renewal, but never more so than this year. After our long winter of forced isolation, the increased accessibility of safe and effective vaccines has many looking forward to shutting off Zoom, putting on some real pants, and emerging to see friends and colleagues in person for the first time in more than a year. Normality, it seems, is just around the corner.

Yet the world has been irrevocably changed by the past year, and the businesses, schools, and other workplaces that we enter back into won’t be the same as the ones we left last March. 

The pandemic accelerated long-standing trends in workplaces across sectors as companies quickly embraced remote work and stood up infrastructure to enable their employees to remain productive while working from home. 

Today we are finding that many of these developments are pretty good—enabling employees to work and be productive from anywhere without the headaches of a commute or a noisy office. And so, as the economy begins to reopen, many are looking for ways to make these temporary solutions more permanent and merge them with more “traditional” forms of working to create a sort of hybrid work environment. 

These new hybrid workplaces will create new opportunities for businesses and will allow us to create organizations that are more flexible, productive, and accessible than ever before. But they can also open up new avenues of uncertainty that could threaten every organization. And make no mistake—cybercriminals know this and are finding ways to take advantage of these vulnerabilities. 

Visit Fortune for the full post.

Tags: Remote Working Policy


Apr 17 2021

Infection Monkey: Open source tool allows zero trust assessment of AWS environments

Category: Security Risk Assessment,Zero trustDISC @ 10:58 am

Guardicore unveiled new zero trust assessment capabilities in Infection Monkey, its open source breach and attack simulation tool. Available immediately, security professionals will now be able to conduct zero trust assessments of AWS environments to help identify the potential gaps in an organization’s AWS security posture that can put data at risk.

zero trust AWS

Infection Monkey helps IT security teams assess their organization’s resiliency to unauthorized lateral movement both on-premises and in the cloud.

The tool enables organizations to see the network through the eyes of a knowledgeable attacker – highlighting the exploits, vulnerabilities and pathways they’re most likely to exploit in your environment.

Zero trust maturity assessment in AWS

New integrations with Scout Suite, an open source multi-cloud security auditing tool, enable Infection Monkey to run zero trust assessments of AWS environments.

Infection Monkey highlights the potential security issues and risks in cloud infrastructure, identifying the potential gaps in AWS security posture. It presents actionable recommendations and risks within the context of the zero trust framework’s key components established by Forrester.

Expanded MITRE ATT&CK techniques

Infection Monkey applies the latest MITRE ATT&CK techniques to its simulations to help organizations harden their systems against the latest threats and attack techniques. The four newest ATT&CK techniques the software can equip are:

  • Signed script proxy execution (T1216)
  • Account discovery (T1087)
  • Indicator removal on host: timestomp (T1099)
  • Clear command history: (T1146)

InfoSec Shop

Tags: AWS environments


Apr 11 2021

Google’s Project Zero Finds a Nation-State Zero-Day Operation

Category: Zero day,Zero trustDISC @ 9:44 am

Google’s Project Zero discovered, and caused to be patched, eleven zero-day exploits against Chrome, Safari, Microsoft Windows, and iOS. This seems to have been exploited by “Western government operatives actively conducting a counterterrorism operation”:

The exploits, which went back to early 2020 and used never-before-seen techniques, were “watering hole” attacks that used infected websites to deliver malware to visitors. They caught the attention of cybersecurity experts thanks to their scale, sophistication, and speed.

Zero Days

Review: 'Zero Days' Examines Cyberwarfare's Potential Online Apocalypse -  The New York Times

The Stuxnet virus cyber-attack launched by the U.S. and Israel unleashed malware with unforeseen consequences. Delve deep into the burgeoning world of digital warfare in this documentary thriller from Academy Award® winning filmmaker Alex Gibney.

Tags: Stuxnet, watering hole attacks


Apr 06 2021

Zero Trust creator talks about implementation, misconceptions, strategy

Category: Zero trustDISC @ 11:43 am


Nov 24 2020

Zero Trust architectures: An AWS perspective

Category: AWS Security,Zero trustDISC @ 11:23 am

Our mission at Amazon Web Services (AWS) is to innovate on behalf of our customers so they have less and less work to do when building, deploying, and rapidly iterating on secure systems. From a security perspective, our customers seek answers to the ongoing question What are the optimal patterns to ensure the right level of confidentiality, integrity, and availability of my systems and data while increasing speed and agility? Increasingly, customers are asking specifically about how security architectural patterns that fall under the banner of Zero Trust architecture or Zero Trust networking might help answer this question.

Given the surge in interest in technology that uses the Zero Trust label, as well as the variety of concepts and models that come under the Zero Trust umbrella, we’d like to provide our perspective. We’ll share our definition and guiding principles for Zero Trust, and then explore the larger subdomains that have emerged under that banner. We’ll also talk about how AWS has woven these principles into the fabric of the AWS cloud since its earliest days, as well as into many recent developments. Finally, we’ll review how AWS can help you on your own Zero Trust journey, focusing on the underlying security objectives that matter most to our customers. Technological approaches rise and fall, but underlying security objectives tend to be relatively stable over time. (A good summary of some of those can be found in the Design Principles of the AWS Well-Architected Framework.)

Definition and guiding principles for Zero Trust

Let’s start out with a general definition. Zero Trust is a conceptual model and an associated set of mechanisms that focus on providing security controls around digital assets that do not solely or fundamentally depend on traditional network controls or network perimeters. The zero in Zero Trust fundamentally refers to diminishing—possibly to zero!—the trust historically created by an actor’s location within a traditional network, whether we think of the actor as a person or a software component. In a Zero Trust world, network-centric trust models are augmented or replaced by other techniques—which we can describe generally as identity-centric controls—to provide equal or better security mechanisms than we had in place previously. Better security mechanisms should be understood broadly to include attributes such as greater usability and flexibility, even if the overall security posture remains the same. Let’s consider more details and possible approaches along the two dimensions.

Source: Zero Trust architectures: An AWS perspective | Amazon Web Services

SANS Webcast – Zero Trust Architecture
httpv://www.youtube.com/watch?v=5sFOdpMLXQg




Tags: Zero Trust, Zero Trust architectures, Zero Trust Network, Zero Trust Security