Zero Trust in the Spotlight at SECtember 2021

This past September, CSA hosted SECtember 2021, the premier cloud security conference that features the best cloud security minds in the industry. If you missed it in person, we’ve got you covered. In our first recap blog, we discussed the presentations from the three keynote speakers at the event. Now, here are some highlights from SECtember 2021 on Zero Trust, a topic of growing importance in cloud security.

Zero Trust Frameworks: The Major Approaches

This SECtember session examined the major frameworks for Zero Trust security: Forrester ZTX, NIST SP800-207, and Google BeyondCorp. Don Maclean, the Chief Cybersecurity Technologist at DLT Solutions, identified the common elements that define Zero Trust, clarified problems that Zero Trust seeks to solve, and correlated specific technologies to those problems.

Zero Trust is a philosophy based on realistic assumptions that are inclusive of many standard security practices, many of which are already implemented but could be done in a more structured manner. This is done to enhance an organization’s security posture, keeping in mind that Zero Trust is not a single product or technology limited to insider threat.

Zero Trust is beneficial for solving:

• Disappearing perimeters
• A growing attack surface
• Inevitable intrusions
• Long dwell times and lateral movement

Watch Don Maclean’s recorded SECtember session here.

DevSecOps and Zero Trust Architecture

In this presentation by Gregory Machler, a Cybersecurity Engineer at Daikin Applied, the complicated DevSecOps and Zero Trust architecture models were addressed. Gregory recommends using a Systems Security as Code model to make it easier to provision, thereby lessening human error and systems security, also reducing the risk of using LDAP directory to authenticate all session flows.

Zero Trust focuses on identity management and is centered around active directory. In Zero Trust architectures, access to enterprise resources is granted on a per-session basis and access to resources is determined by a dynamic policy. Modeled after Infrastructure as Code, Systems Security as Code is focused on cloud architecture only, and doesn't address earlier architectures. However, it addresses sessions that use encryption to protect their traffic. The key takeaway here is that if you focus on the Infrastructure as Code model, Systems Security as Code will be successful.

Watch Gregory Machler’s recorded SECtember session here.

Panel Discussion: Giving Zero Trusts About Cloud Security

Despite the limitations of corporate engagement due to the pandemic, the rapid rise of cloud and remote services saw an abnormal increase in accessing corporate networks and data. Panelists Lianne Caetano, Senior Director of Product Marketing, Lookout; Shawn Harris Director of Information Security, Starbucks; Sameer Malhotra, CEO & Founder, Truefort; and John Yeoh, Global Vice President of Research, CSA discussed: why Zero Trust prepares us in today’s threat landscape, the technology challenges customers face when implementing Zero Trust, and the critical specifications that define the architecture.

The concept of Zero Trust architectures for secure network access has been around for years, but has recently taken the practice of Zero Trust to new levels. The pandemic has brought about a renewed focus on digital transformation and an increase in malware and threats. Strategies for implementing a Zero Trust architecture to protect your data include:

• Learning behaviors that determine good and bad actors. Start small, start focused, and then expand.
• Making sure that users can use systems in the most secure way possible through least privilege. Do this through identity proofing and risk monitoring.
• Implementing Zero Trust across all of your organization’s functions and departments, allowing you to proactively identify internal and external threats.

Here are some other key remarks from the panel:

• As you design Zero Trust for your organization, make sure that user experience doesn’t degrade the performance of your business. Zero Trust isn’t only for your employees, but can also improve the end-user experience.
• A lot of technology has been developed over the years. So building programs that allow for visibility and understanding at the baseline with continued assessment is a must.
• Zero Trust is a strategic direction. Once you develop least privilege processes, you can implement Zero Trust.

Watch the recorded SECtember panel discussion here.

Save the date! SECtember 2022 will be taking place at the Meydenbauer Center in Bellevue, WA on Sept. 26-30, 2022. We hope to see you there.

Learn more about Zero Trust by visiting CSA’s Zero Trust Advancement Center.