Achieve Friction-Free Zero Trust With Business Partners


If you couldn’t make the live event (now available on-demand here), here’s a taste of the freewheeling panel discussion, featuring Phil Syme, Co-Founder and Chief Technology Officer of Area 1 Security, and Kevin Wilson, Senior Product Manager at Area 1 Security and former CISO at GUESS?.


The History of Traditional Security Model


The traditional, legacy security models based on perimeter security are ineffective given modern work practices and threats. Traditional models focus on preventing external threats from entering but then assume an internal trusted network.


The benefit of the traditional model is that it’s simple. There is one place to focus your efforts — securing the perimeter. In that respect, it’s an efficient model with economies-of-scale advantages. But, with the risks inherent to it, it’s not a comprehensive model. The traditional model leads to inherent risks in the inability to prevent and protect from insider threats, compromised accounts, and easy lateral movement after an initial breach.


“The biggest thing the traditional model misses is just human nature,” adds Phil. “Practicing good security is difficult and time-consuming. If you know you are within a secure perimeter, it’s easy to get a little lackadaisical about security practices. This is probably the biggest miss.” Unfortunately, attackers and malicious insiders take advantage of these security gaps, resulting in data breaches, unauthorized access and a host of other security issues.


The end of the perimeter, brought on largely by widely-accessible cloud services, and the modernization of communication lead to tension within any security practice. From a business perspective, you want wide-open access to anyone at any time to make business processes as smooth as possible. Then there is the conflicting need to secure everyone and every system as much as possible. With any security solution, it’s about finding the right balance between these two things.


The Zero Trust Model


That’s where the Zero Trust model comes in. The concept of Zero Trust is no inherent trust inside or outside the perimeter — no trusted network, no internal network edge. The Zero Trust Model focuses on authentication, authorization, and reducing implicit trust zones. It focuses on the who, rather than what.


It relies on three pillars :

  1. Always verify,
  2. Apply the least privilege, and
  3. Assume breach.


With the Zero Trust model, “you tend to get better detection of malicious types of issues than you would with a traditional model [that] focuses heavily on the edge and not so much on the internal,” Kevin states.


In fact, the benefits of a Zero Trust Model includes better detection of:

  1. Compromised user credentials,
  2. Remote exploitation and insider threats, and
  3. Compromised supply chain.


These security issues often appear within the “trusted network” that gets overlooked in the traditional security model.


But the million-dollar question is — is Zero Trust attainable?


Practical Advice to Attaining and Applying Zero Trust


The team gets right down to business to address the major question on everyone’s mind: how do we attain Zero Trust?


The key is to focus on the very foundation and basics of the Zero Trust Model.

  • Authentication and identity. The goal is to validate that the user is who they say they are. In addition to credentials, focus on implementing multi-factor authentication. Mapping out a social graph of who your organization communicates with helps with detecting compromised identities.
  • Apply least privilege for all access. Focus on who needs what. Limit privileges to only what’s needed for an individual to succeed in their given role instead of giving broad access.
  • Network segmentation and micro-segmentation. Keep in mind that there are two aspects to segmentation — a physical and a logical aspect — and ensure you apply both. The physical aspect are things like router rules that physically segment a network. The logical part is figuring out the security perimeter for a particular IT system and applying appropriate access rules for every component of the system.
  • Monitoring and inspection. Effective monitoring and inspection may need to be achieved in phases. Time and tuning are required to balance verbose monitoring against potential missed alerts.


Extending Zero Trust to Email


Removing perimeters means re-evaluating where risk really lies in an organization. Take email, for example.


Email is the #1 way organizations communicate, and it’s largely a wide-open door. Its scope and depth extends beyond direct employee access decisions and network-centric models. Businesses interact with many partners and suppliers, and established relationships lend itself to implicit trust, which can be exploited. Considering the vast number of individuals email reaches, both internal and external, the question is no longer about the network but about whether you can trust who you’re communicating with.


Area 1 Security extends Zero Trust to email by removing implicit trust. Area 1 Security verifies all communications as it is happening, validates access beyond just the sender, detects compromises, and applies controls around compromised communications. In short, Area 1 Security applies the foundations of Zero Trust mentioned above to email to reduce the largest source of risk to an organization.


Want to know more? Watch the full webinar and get more tips on:

  • How your partner social graph results in increased risk surface area;
  • Why email security plays a critical role in establishing a Zero Trust architecture that can be extended to your business partners and suppliers; and
  • How to leverage email security to prevent targeted cyber attacks.

Phil

Phil Syme

Cofounder and CTO at Area 1

Phil Syme has 22 years of information technology experience. His areas of expertise include system architecture, data processing at scale, and cloud technologies. Phil was previously a Chief Engineer at Next Century Corporation, co-founder and Principal Engineer at eSymmetrix, and co-authored two introductory programming books. He holds a B.S. in Mathematics and Computer Science from Carnegie Mellon University School of Computer Science.


Kevin Wilson Headshot

Kevin Wilson

Senior Product Manager at Area 1

Kevin Wilson is a Sr. Product Manager at Area 1 Security. Throughout his 14 years in Cyber Security, Kevin has been an Analyst and Engineer in various organizations such as the U.S Navy, First Data, and Lowe’s. Previously he served as the Global Information Security Officer at Guess? Inc as well as a Product Manager for McAfee.

How to replace your email gateway with Cloudflare Area 1

Leaders and practitioners responsible for email security are faced with a few truths every day. It’s likely true that their email is cloud-delivered and comes with some built-in protection that does an OK job of stopping spam and commodity malware.

Introducing email link isolation – Email gateway replacement playbook

This week was a big one for us at Cloudflare, one of our four innovation weeks which we hold annually, showcasing new developments, product news and reference architectures.

Superhero strategies for the Phish Fight

Today is National Superhero Day, and we would like to dedicate this day to you—the SOC teams and the security experts on the frontline of the phish fight.