‘Zero Trust’ is making cybersecurity headlines today, and one of our strategic partners, Varonis, recently published a whitepaper on this topic. We sat down with Brad Bussie, Vice President, Advyz Cyber Risk Services, to learn more about Zero Trust and the key take-aways from the Varonis whitepaper.
Zero Trust is a security model developed by former Forrester analyst John Kindervag in 2010. Ever since that time, there has been growing interest in and adoption of the Zero Trust. What should customers know about this security strategy?
When we talk to a client or potential client about Zero Trust, many are familiar with the term from the Forrester model, which addresses the shortcomings of traditional perimeter-based security. However, most don’t clearly understand the benefits of Zero Trust for their business.
The old way of looking at Zero Trust is to trust nothing. The challenge is that this approach doesn’t scale. In fact, it prevents organizations from performing tasks they need to conduct business. Organizations need to take a step back and first determine what it is they are trying to protect in the first place. Most often, it’s their data – and we recommend organizations take a data-centric approach to security.
Why does Advyz Cyber Risk Services team with Varonis in helping customers implement Zero Trust frameworks?
Here at Advyz, we work with our customers to help them understand that Zero Trust isn’t a product or solution, instead it is a framework of processes that can be tailored based on your organization’s unique needs. Varonis is a pioneer in data security, and as a data-centric company, they have worked with thousands of customers to secure their most sensitive data. Simply put, they have the capabilities to help organizations implement security that is in line with Zero Trust, and that’s why they are one of our key partners in this space.
How big of a problem is data security for customers today?
Overexposed data is arguably the biggest problem in data security because the challenge and risk compound as data continues to grow. If an attacker lands on your network, they will be able to access anything – including your most sensitive information -- that isn’t locked down. Finding and remediating where your data is overexposed is a time-consuming and error-prone process that’s nearly impossible to perform successfully without automation. Varonis compiles an annual Global Data Risk Report that sheds light on the state of data exposure. They found the average employee can access 17 million files—far more than they need to do their jobs. On average, 22% of a business’s globally accessible data – about 1 in every 5 files -- is sensitive.
Further, according to Forrester, the average enterprise today has petabytes of data that will continue to grow 15-30% annually.1 Of that data, approximately 80% of it is unstructured data like files and emails, according to industry estimates.
When it comes to providing data-centric security, why is Zero Trust more effective?
Businesses should assume that it is not a question of “if,” but “when” an attacker will gain access to their network. A subtle misconfiguration or stolen credentials is all that bad actors need to gain entry. And, once they’re in, it’s often not difficult for them to gain access to the valuable data they’re after, especially on infrastructure that doesn’t adhere to a Zero Trust, least-privilege model.
As Varonis points out in its Zero Trust whitepaper, “To limit the potential damage bad actors can do once inside and proactively detect suspicious activity by insiders or malware, organizations should focus first on defending their data—the asset hackers are ultimately after.”
What are the key components of a Zero Trust framework?
Varonis explains in its Zero Trust whitepaper that the framework involves several layers of defense, including data protection, network segmentation, identity and access management, application stack security, and device management. All of these controls are designed to help enterprises better defend their assets against increasingly stealthy cyber attackers. With Zero Trust, businesses can:
- Secure sensitive data. Identify and limit access to sensitive data to limit possible exposure.
- Segment the network. Limit lateral movement of attackers or spreading of malware.
- Limit user access. Strictly enforce what users can access.
- Secure application stack. Treat every connection, app, and component as a threat vector and ensure Zero Trust principles are applied throughout your technology stack.
- Manage devices. Isolate, secure, and control every device that is connected to the network.
What are some of the most important steps customers should consider as part of a Zero Trust model?
First and foremost, remember that you can’t manage what you don’t measure, and Advyz Cyber Risk Services is here to help. When implementing a Zero Trust framework, step one is to identify and map the relationship between the organization’s data, applications, and networks. Next, you must identify what benefits the users and other key stakeholders within the organization gain by participating in the Zero Trust program. Education is key understanding how to reduce risk and promote security in all they do.
What are the outcomes customers can expect when implementing a Zero Trust model?
When an organization adopts the Zero Trust model, it will achieve the following benefits:
- A more secure network
- Improved focus across the organization on protecting data, application and infrastructure
- Enhanced protection against existing and evolving threats – i.e., Zero Day threats
- Reduced impact from breaches
- Improved compliance and visibility
- Potential cost savings in people, processes and technology required to protect the organization due to the simplified environment.
Last, but not least, the organization will finally gain a full understanding of the technology it is using and how it should be applied to promote a secure infrastructure environment.
To learn more about implementing Zero Trust with Varonis, download the whitepaper here.
Entisys360 and Varonis will be hosting a Virtual Seminar, “Least Privilege and Zero Trust for the Public Sector” on Wednesday, November 10 at 11am (PT). To register, visit:
https://us02web.zoom.us/webinar/register/3916336325530/WN_CgUMgAt1QcqWbT_lrjTX2A.
Since joining Entisys360, Brad has focused on building the Advyz Cyber Risk Services division by bringing people, processes, and technology together to help organizations solve their most pressing cybersecurity and business challenges.
About Entisys360
Entisys360 is an award-winning IT consultancy specializing in cybersecurity, automation and cloud, core infrastructure services, DevOps, end-user computing, software-defined infrastructure and virtualization solutions for business, government, education and healthcare. For nearly three decades, countless numbers of enterprise organizations have achieved their business goals and objectives leveraging the Entisys360’s people, processes and methodology.
1Andres Cser and Sean Ryan, “Apply Zero Trust eXtended Principles In Your Identity and Access Management Programs, Protect Data And Boost The User Experience with A ZTX IAM Architecture, People, And Process,” Forrester Research, November 25, 2019.