Sign up for our newsletter! →

Hana Doesn’t Trust You: HanaByte and Zero Trust

Written By
HanaByte blog on Zero Trust by Otis Thrasher

NEVER TRUST, ALWAYS VERIFY

There are plenty of different security frameworks, models and strategies that an organization can utilize when securing cloud environments.  In this blog, I want to highlight Zero Trust (ZT) and why this framework can be very beneficial for companies looking to differentiate themselves in the modern market when it comes to securing environments. 

Data holds immense value for an organization and is considered a high commodity to threat actors. As an organization, it is important to understand that being compliant is the start of securing your data. Cybersecurity is not solely reliant on the technology but also on strategic implementations as well. Technology is there to help enable the strategy–this is where ZT comes in to assist with that strategic planning.

Dogs are considered to be man’s best friend. One characteristic about dogs is that they are always skeptical of strangers; they vet each individual before trusting them. After dogs become comfortable, they will let their guard down. ZT is built on the concept of “Never Trust, Always Verify.” The difference between ZT and the instinctive nature of dogs is that your guard should never be let down. ZT emphasizes the continuous verification of all entities.

The Pillars Of Zero Trust

There are 7 Pillars of ZT:

  1. Users/Entities
  2. Devices
  3. Applications & Workloads
  4. Network & Environment
  5. Data
  6. Automation & Orchestration
  7. Visibility & Analytics

Each pillar is pivotal to encompass the effective and security capabilities highlighted in the ZT framework. ZT creates a roadmap for what steps to take in chronological order: Target level, Target & Advanced, and Advanced. Breaking down each step into phases and outlining what needs to be accomplished by a specific fiscal year.

There is a five step process for ZT implementation: define your surface, map the transaction flows, build a ZT architecture, create ZT policy, and monitor and maintain the network. Understanding the data you have and how that data is being used. ZT specifies the importance of utilizing least privilege to secure authorization of users and devices as well as segmentations of your network and defense in depth.  The significance of automation to get rid of toil. Automation and orchestration enables the organization to focus on more critical aspects of security in their environment while using monitoring tools to be able to continuously monitor to detect anomalies.  This ultimately enhances the overall security posture.

WHY ZT? WHY NOW?

For over a decade, IT has been actively engaged with each concept outlined in the 7 pillars of ZT. ZT gives us a new single umbrella and expands on legacy implementation. It has become more prevalent in recent years due to the rise of remote work during the pandemic. This shift made it a necessity to validate users and utilize context-based access controls alongside Multi-Factor Authentication (MFA). The Adoption of ZT has been propelled by endorsements from entities including the Department of Defense (DoD) and notable organizations such as Gartner and Forrester. The ZT framework is used for securing infrastructure and data for the present-day digital transformation. Usually, the first place malicious actors attack is users and devices. The ZT framework addresses these problems now and for future solutions. It is important to maintain continuous, incremental improvements over time. As we all know technology will advance and so must the security mechanisms guarding it.

Security revolves around the shared responsibility model with providers and consumers; however, the biggest problem often neglected in the security framework is human error.  Social engineering tactics and phishing attacks are some of the most common ways individuals’ credentials, as well as organizations, are compromised.  This is why MFA is such a necessity. Based on reports from Gartner, there are organizations that are still not utilizing MFA. Platform Authenticators(PA) can help mitigate phishing attacks and authenticate the user behind the device.

AI and DATA

AI brings in all new possibilities when it comes to innovation, creativity, and security-which can be wonderful for finding solutions to future problems. With any turnkey technology, this also introduces attack vectors for threat actors. That’s why data security is of the utmost importance for anyone venturing into the abyss of AI. Data is essential for training Machine Learning Models that power AI. Identifying errors in data begins with taking the first crucial steps. It’s essential to gain a comprehensive understanding of the source and types of data in use. Data cleansing and processing are indispensable.

ZT emphasizes the importance of data classification and setting parameters for access based on the user’s role in the organization. Consistently monitoring your data logs on a single plane of view, can mitigate data sprawl. Data sprawl has become a common problem in companies when they ingest so much data from different resources. Following the ZT framework will push your organization to establish access controls and monitoring tools to know exactly who, when, and what data is being accessed.

HANABYTE CAN HELP

A common misconception is that there is one single vendor that can provide everything encompassing what you need for a ZT framework. ZT is complex, and the related security measures will take time to implement. That is where security professionals come in to help combine all the different tools, software, and knowledge to meet expectations. By adopting a ZT strategy, you are not only aiming to create a highly secure and efficient system but also demonstrating to your customers that the security of their data is your top priority. Federal government entities support  this framework for its ability to manage security of infrastructure and modern digital transformation.  Lead your organization into the future with continuous innovation, prioritizing security at every state of the journey.

Relevant Blogs

hanabyte blog, CISA, cybersecurity infrastructure security agency, hanabyte
Automation

CISA: A Quick History

Written By Get to Know CISA Perhaps one of the least understood aspects of information technology is cybersecurity. Despite constant

Read More →
Michael Greenlaw HanaByte blog on AFT to ATO
Automation

From AFT to ATO: The Prequel

The purpose of this installment was originally to continue our journey; however, I was fortunate enough to speak on this topic in-depth at HashiTalks. Due to its technical nature, we thought it better to complete the blog series by taking a step back and providing a discussion about what the tool is, the problems it solves, and how it can empower us…

Read More →