Re-blog: Zero-Trust – IT’s an Architectural State of Mind

What Is Zero Trust?

The term ‘Zero Trust’ was first coined by John Kindervag in 2010, building off a concept put forward by David Lacey at the Jericho Forum, an international group founded in 2004 that worked to promote deperimeterization.

Deperimeterization means to “protect an organisation’s systems and data on multiple levels, by using a mixture of encryption, secure computer protocols, secure computer systems and data-level authentication” (Wikipedia). Our Managing Security Consultant, Colin Robbins, has been discussing deperimeterization for over 5 years.

Over the past few years, the world has seen a period of digital transformation. The increasingly popular use of Cloud-based solutions and remote working are eroding traditional security boundaries. Network architecture is changing, as static work environments are being phased out in favour of letting employees work from any location at any time.

In this new world, the role of local networks and Intranet changes, it no longer poses a significant security boundary, as business data is now outside of that network on cloud services. Thus, the priorities of the local network have shifted to providing access, not security. The need for security has not been diminished and a replacement solution must be found – this is where Zero Trust fits in – it helps provide confidence that your users and devices are appropriately trusted to be able to access your (on premise and cloud-based) services.

Zero Trust Architecture – NCSC

Zero Trust is a term being (mis)used by some product vendors, to push their unique angle on it. To cut through this, the NCSC, along with techUK, are working toward a non-partisan view of the base principles.

As part of this, the NCSC has developed a series of principles that will help people understand and migrate to a zero trust architecture. These principles are still in development and they have recently reduced the 10 alpha principles down to 8 beta principles.

More…

Continue reading Zero-Trust – IT’s an Architectural State of Mind →

New Identity – Old Problem

Like many, during lockdown I’ve been catching up on a number of Webinars. It’s given me the opportunity to do some catch up in the Identity Management field.

During the EEMA annual conference, a distinguished speaker observed “We are in danger of re-inventing the wheel, without learning from the past”, which caused me to reflect on the identity lessons from my identity management past. (Apologies to the speaker, I forgot exactly who made the comment).

My first reflection is:

Identity Management technology is easy
Scalable Identity Management technology is hard
Securely deploying Identity Management technology is hard

Which is where the conundrum lies – the “next generation” see the current solutions as hard to deploy, and think there must be an easier way, and sure enough come up with an idea for “easier technology” – get momentum, then stall because scaling and deploying it is hard!

My second reflection is there are three domains of identity:

Citizen identity
Consumer identity
Business identity

These are fundamentally different things, with different requirements and challenges. Don’t let your “solution” confuse them – you will fail. Yes, there are common technologies that will play a part, but the scalability and deployment challenges are fundamentally different.

My third reflection, I’ve probably been in the game too long to offer new solutions, it is time for the next generation – but please do study history, the challenges are not new.

Out of Office Dilemma

As we approach the Christmas holiday period, I thought I’d share a cautionary tale on setting up your Out-of-Office auto-response. For quite a while now I have been building a relationship with a prospective customer. While I have had discussions with a person there – let’s call him Bob – Bob has worked hard to keep his privacy. Continue reading “Out of Office Dilemma” →

Payment Services Directive

So, Tesco was hacked. Although there is no official word yet on how this happened, the chatter among people far smarter than me are suggesting the issue is related to passwords and the Tesco Club card.

Followers of CyberMatters will recognise that I often blog about password issues. Is there anything new to say on the subject I hear you ask? Yes… Continue reading “Payment Services Directive” →

We cannot let passwords die (yet)

I’m getting fed up with marketing that says “Passwords must die” only to present yet another solution that won’t replace them.

The challenge to solve is ubiquity – this is why passwords have stood the test of time, even with their obvious and proven shortcomings.

Continue reading “We cannot let passwords die (yet)” →

Considerations when Managing IoT Device Keys

As we rapidly advance to the new world of the Internet of Things, security is slowly but surely starting to be talked about. Managing keys is an important part of this discussion.

Continue reading “Considerations when Managing IoT Device Keys” →

How do you dispose of your Smart Home?

A few weeks back, I worked with the SH&BA to publish guidance on the Security of your Smart Home.

Shortly before we went to print I sold my car, and suddenly realised there was a big gap in the document.

Continue reading “How do you dispose of your Smart Home?” →

The Insider Threat

According to the latest UK Cyber Breaches statistics, three-quarters of large organisations suffered a staff-related breach and nearly one-third of small organisations had a similar occurrence within the last year. Continue reading “The Insider Threat” →

Phishing Nets

Phishing is one of the most common forms of cyber-attack at the current time. Effectively attackers try and fool you to providing sensitive data such as user names and password into fake web sites. Continue reading “Phishing Nets” →

Category: Identity and Access Management