Mar 06 2024

How Security Leaders Can Break Down Barriers to Enable Digital Trust

Category: CISO,Digital Trustdisc7 @ 8:11 am
https://www.infosecurity-magazine.com/news/security-leaders-digital-trust/

The term “digital trust” has gained traction in the business landscape, but many people hear “digital trust” and equate it to avoiding cybersecurity incidents.

In reality, security leaders hold a significant role in this mission, but building digital trust requires much more than a high-performing security team.

Viewed in this broader sense, digital trust is defined by ISACA as the confidence in the relationship and transactions among providers and consumers within the digital ecosystem, including the ability of people, organizations, processes, information and technology to create and maintain a trustworthy digital world.

Customers expect a reasonable degree of digital trust from every organization with a digital footprint – at least the ones with which they will be willing to do business. Although they might not consciously frame it in these terms, these fundamental elements of digital trust serve as the foundation upon which consumers base their judgments about an enterprise’s trustworthiness:

  • Quality: Quality must meet or exceed consumer expectations. 
  • Availability: Consumers need to be able to access accurate information in a timely manner. 
  • Security and privacy: Consumers need assurance that their data and information are safe and protected. 
  • Ethics and integrity: Enterprises should live up to their promised values. 
  • Transparency and honesty: Consumers should be informed about how their information is being used. If personal information has been compromised, consumers should know how the enterprise is addressing the current situation and preventing it from happening again. 
  • Resiliency: Enterprises must provide assurances that they are stable and can withstand adverse circumstances while simultaneously evolving to leverage new technologies and advancements.  

Although commonly associated with cybersecurity, digital trust extends far beyond that realm. It can be thought of as the invisible thread that establishes a common goal and focus among several distinct organizational roles.

Within the domain of security, one question that often arises is whether zero trust equates to digital trust. The answer is no, however, zero trust can be used as a technique to reach digital trust. It is a building block or a thread that is woven throughout the digital trust ecosystem. Digital trust allows individuals and businesses to engage online with confidence that their data and digital identity are safeguarded. 

Implementing zero trust processes contributes to the protection of such information.

In the context of the modern business environment, how well companies manage customers’ data and the extent to which they can securely and responsibly implement emerging technology are key steps toward delivering digital trust.

Trust: The Core of All Interactions

Throughout human history, trust has formed the fundamental basis of nearly every human interaction we experience. This significance is particularly pronounced in our rapidly evolving, digitized world, where multiple parties frequently do not have in-person interactions to exchange the sensitive and confidential information necessary for transactional purposes.

Therefore, every interaction must reinforce that the organization cares about – and has instituted effective practices in – all areas of digital trust.  

Trust is not a one-time achievement; it must be consistently earned, effectively communicated and actively reinforced. This creates a fertile environment to conduct business, which in turn fuels innovation, drives economic expansion and, ultimately, generates value for all parties engaged in the interactions. Trust becomes the bedrock upon which successful and mutually beneficial relationships are built.  

Edelman, which has studied trust for 20 years, puts it this way: “Trust is the foundation that allows an organization to take responsible risk, and, if it makes mistakes, to rebound from them. For a business, especially, lasting trust is the strongest insurance against competitive disruption, the antidote to consumer indifference, and the best path to continued growth. Without trust, credibility is lost and reputation can be threatened.”

Consider any consumer-driven sector and you’ll likely recognize the significant advantage that major, well-known brands have due to the trust they have painstakingly cultivated with customers. Think about how frequently you have been willing to pay a higher price for a purchase because you trust the provider to deliver on their promises, especially when compared to various competitors with less established reputations.

This trust factor often becomes a compelling driver of consumer choices, reflecting the value of a well-earned reputation for reliability and quality.

A digitally trustworthy organization understands the importance of upholding customer trust. Digital trust must be instilled throughout the organization, and initiatives should be built with digital trust in mind. This trust accrues over time. Establishing digital trust is an ongoing process that involves the continuing efforts not only regarding the creation but the maintenance of the larger ecosystem.

“Digital trust is the logical progression on the digital transformation path”

The Business Benefits of Digital Trust

Digital trust is the logical progression on the digital transformation path – in fact, three quarters of respondents to ISACA’s State of Digital Trust 2023 research indicate that digital trust is very or extremely important to digital transformation.

As businesses undergo digital transformation, customer expectations are evolving accordingly. While IT plays a pivotal role in this transformation, the shift toward prioritizing digital trust is largely being driven by businesses to benefit businesses.

Given its paramount importance to consumers and overall brand reputation, digital trust should be a central consideration across all facets of an enterprise. According to the State of Digital Trust research, the top benefits of digital trust include a positive reputation, fewer privacy breaches, fewer cybersecurity incidents, more reliable data, stronger customer loyalty, faster innovation and higher revenues.

With a list of benefits this impactful, digital trust should command the attention of boardrooms across all industries and geographies.

Digital trust involves all of us as stakeholders – including security leaders responsible for preventing data breaches that undermine trust, IT professionals who support information and systems integrity, marketing professionals who champion and promote an organization’s brand, and third-party providers upon whom the organization is reliant.

Digital trust serves as a significant catalyst for consumers’ decisions which will ultimately manifest – for better or worse – in a company’s financial performance.

Leadership’s Responsibility in the Trust Ecosystem

Leadership plays a crucial role in establishing digital trust through a concerted, organization-wide push. As with most elements that dictate a company’s success, leadership matters.

Everyone in the organization has a role in building and maintaining digital trust, but the responsibility for setting the direction and governance needs to start with senior executives.

Organizational leaders set and communicate the culture, priorities and expectations of digital trust through policies and structures, which are disseminated throughout the organization. From a governance perspective, either the full board of directors or a board committee needs to be given responsibility for governance and oversight of digital trust.

It is critically important that a focal point is created for the management team to provide updates on the advancement of digital trust to the board, similar to the practices of cybersecurity or IT audit teams. In doing so, a connection point is established for the management team to report in on digital trust progress at the board level, much like how cybersecurity or IT audit teams operate.

A Digital Trust Executive Council is a valid option to ensure proper direction and control over digital trust efforts. This would serve as a management council that should report into the executive management team and then ultimately to the board or designated committee that oversees digital trust.

The purpose of the digital trust council is to address the needs of an organization’s digital product and service consumers through the appropriate evaluation, prioritization and direction of digital trust activities, funding and programs that ultimately contribute to a trusted relationship. Consider this council the expert review panel and point of contact on digital trust decisions, measurements, guidance and alignment with the organization’s goals and objectives.

This governance connection is critically important. If organizations merely give superficial acknowledgment to the pursuit of digital trust without a governance structure and framework that is accountable to the board, then they are deceiving themselves into believing that they are making any meaningful efforts toward establishing genuine digital trust.

This is reminiscent of the old days when many companies were convinced that they were doing a great job on security without anything in the organization having a true security focus or investment – it was really just IT personnel running the show. We have learned and evolved a great deal since then, and digital trust will have to go through a similar transformation.

The role of security leadership is also crucial in establishing digital trust as a business imperative. To be effective, today’s CISOs must demonstrate their capability to wield influence and make a meaningful impact across the business.

“I think that’s the most important trait right now, because there are many security jobs that are technical analysis or coding, but to be a CISO, you have to be business-focused and be an executive leader because you’re going to be interfacing with the board, CEOs and other executives,” wrote 2021 CISO of the Year, Brennan P. Baybeck, VP & CISO for Customer Services, Oracle.

“You can’t just be talking about compliance and security all the time. You have to be helping to drive the business and directly aligning the security strategy activities to the business strategy, with a focus on enabling business,” he added.

Digital trust serves as a significant avenue for security leaders, especially CISOs, to break away from the perception that they are solely engrossed in cybersecurity with limited perspective. CISOs can effectively achieve this by championing a cross-functional digital trust team (more on this below) and ensuring that the team is resourced and supported appropriately.

ZERO TRUST SECURITY DEMYSTIFIED: Expert Insights, Proven Strategies, and Real World Implementations for Digital Defense: Your Roadmap to a Resilient Network and Unparalleled Data Protection

Trust: The wining formula for digital Leaders

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: CISO, Enable Digital Trust, Security Leaders, Zero Trust


Oct 20 2022

Protecting Your Cloud Environments With Zero Trust

Category: Zero trustDISC @ 8:27 am

When moving to a cloud infrastructure, businesses should be looking toward a Zero Trust strategy. This security model protects the cloud from the inside out using the principle of least privilege to grant secure access to any company resource. Eliminating implicit trust helps prevent cloud-related data breaches and provides a security shield for remote workers that use BYOD (Bring Your Own Devices) to access corporate resources.

Zero Trust Prevents Compromised Credentials

Cloud environments are dynamic and require a lot of security, especially in a public cloud, where all data might not be protected and phishing attacks run rampant. In fact, 80% of cloud security incidents are due to stolen or lost credentials. Just earlier this year, the Lapsus$ ransomware group managed to breach a third party provider’s Okta authentication and even published screenshots for all to see.

This is where Zero Trust comes into the picture. Zero Trust helps mitigate unauthorized access in cloud environments by enforcing granular access to each user or device attempting to access a workload or resource. This added measure is essential for securing remote workers and third parties from any potential data leaks.

Organizations must adopt Zero Trust principles when building on cloud architectures. Here’s how your organization can successfully leverage the principles to keep cloud environments safe.

5 Ways Zero Trust Secures Cloud Environments

Always Assume a Threat

With traditional security methods, there’s no cause for concern until a threat is detected. And by that time, it’s too late. Zero trust automatically assumes by default that everyone using the network is a threat until verified.  

Continuous Authentication

Following the ‘never trust, always verify’ motto, users will be continuously asked to verify themselves. Not on a one-time basis, but each time they require access to a cloud resource. Multi-Factor Authentication (MFA) technology is an integral component of a successful Zero Trust strategy. 

Device Access Control

Zero Trust also monitors how many different devices are in the network as well as those trying to gain access at any given time. A proper Device Posture Check will ensure that every device is assessed for risk without any exposure to the network.

Microsegmentation

Microsegmentation is another way that Zero Trust protects cloud environments. It divides the infrastructure into smaller zones that require additional verification for access. This is also called minimizing the blast radius of a threat. 

Lateral movement can occur when an attacker infiltrates the outside barrier and moves within the network. Even when the entry point is discovered with a traditional security method, it can be difficult to detect the threat. During the time it takes to find them, they can move laterally and exfiltrate data. Every user in the network is required to be verified when they enter different zones, drastically reducing the possibility of a breach.

Logging & Monitoring

Having several methods of verification means nothing without constant monitoring. Inspect and log all traffic to identify any suspicious behavior or anomalies. Analyzing the log data can help quickly identify threats and improve security policies

Protecting Your Cloud Environments With Zero Trust

Zero Trust Security: An Enterprise Guide

Zero Trust

Tags: Zero Trust, Zero Trust Security


Mar 14 2022

Building trust in a zero-trust environment

Category: Zero trustDISC @ 9:32 pm

A recent study by MITRE and DTEX revealed that despite years of industry efforts against insider threats, there isn’t enough data – or systems advanced enough – to spot all malicious behavior. As companies work to build a corporate culture of cybersecurity, they’ve begun investing in zero-trust architectures to proactively cover all attack surfaces.

While this is a step in the right direction, this security method also has the potential to raise fear and generate negative responses from employees. This is especially a concern amid the Great Resignation; countless employees are leaving their jobs due to issues centered around work culture that no longer meets the demands of the modern employee. If taken as a sign of mistrust and poor faith, zero-trust security could spread resentment and demotivation among employees, potentially accelerating turnover rates and bringing the Great Resignation to its peak.

How can companies effectively navigate zero trust without creating friction among employers and employees? And how do they get there without the luxury of trust-building exercises in the close quarters of an in-office environment?

The thing is, zero trust doesn’t mean seeding mistrust throughout an organization’s networks. Companies shouldn’t have to rely on technologies alone for protection. Security is best applied when it’s a team effort. In other words, successful zero trust relies on a culture of transparency, communication, and consistency across the board. When appropriately understood and applied, these efforts can create a sustainable zero-trust work environment. So, how do we get there?

Create a culture of transparency and communication

zero

Zero Trust Networks: Building Secure Systems in Untrusted Networks

Tags: Zero Trust, Zero Trust Networks


May 04 2021

Secure your cloud: Remove the human vulnerabilities

Category: Cloud computingDISC @ 10:01 pm

A strong case can be made that shoring up defenses requires “automating out” the weakest link – i.e., humans – from any cloud that companies are entrusting with their data. This applies to their internal, on-premise clouds as well as to the external cloud vendors that they choose to engage with.

In “automating out the weak link,” the ability of superusers or IT administrators – or of bad actors who have gained access to valid admin credentials – to manually interfere with sensitive data becomes non-existent, because human interaction is eliminated.

Trust no one

The zero-trust model, which has gained favor in recent years among many cloud vendors, serves as a starting point for making this happen.

The zero-trust security framework challenges the idea of trust in any form, whether that’s trust of networks, trust between host and applications, or even trust of super users or administrators. The best way to secure a network, according to the zero trust framework, is to assume absolutely no level of trust.

Zero Trust Security

Tags: Zero Trust


Nov 24 2020

Zero Trust architectures: An AWS perspective

Category: AWS Security,Zero trustDISC @ 11:23 am

Our mission at Amazon Web Services (AWS) is to innovate on behalf of our customers so they have less and less work to do when building, deploying, and rapidly iterating on secure systems. From a security perspective, our customers seek answers to the ongoing question What are the optimal patterns to ensure the right level of confidentiality, integrity, and availability of my systems and data while increasing speed and agility? Increasingly, customers are asking specifically about how security architectural patterns that fall under the banner of Zero Trust architecture or Zero Trust networking might help answer this question.

Given the surge in interest in technology that uses the Zero Trust label, as well as the variety of concepts and models that come under the Zero Trust umbrella, we’d like to provide our perspective. We’ll share our definition and guiding principles for Zero Trust, and then explore the larger subdomains that have emerged under that banner. We’ll also talk about how AWS has woven these principles into the fabric of the AWS cloud since its earliest days, as well as into many recent developments. Finally, we’ll review how AWS can help you on your own Zero Trust journey, focusing on the underlying security objectives that matter most to our customers. Technological approaches rise and fall, but underlying security objectives tend to be relatively stable over time. (A good summary of some of those can be found in the Design Principles of the AWS Well-Architected Framework.)

Definition and guiding principles for Zero Trust

Let’s start out with a general definition. Zero Trust is a conceptual model and an associated set of mechanisms that focus on providing security controls around digital assets that do not solely or fundamentally depend on traditional network controls or network perimeters. The zero in Zero Trust fundamentally refers to diminishing—possibly to zero!—the trust historically created by an actor’s location within a traditional network, whether we think of the actor as a person or a software component. In a Zero Trust world, network-centric trust models are augmented or replaced by other techniques—which we can describe generally as identity-centric controls—to provide equal or better security mechanisms than we had in place previously. Better security mechanisms should be understood broadly to include attributes such as greater usability and flexibility, even if the overall security posture remains the same. Let’s consider more details and possible approaches along the two dimensions.

Source: Zero Trust architectures: An AWS perspective | Amazon Web Services

SANS Webcast – Zero Trust Architecture
httpv://www.youtube.com/watch?v=5sFOdpMLXQg




Tags: Zero Trust, Zero Trust architectures, Zero Trust Network, Zero Trust Security