Articles Home | New Era Technology | Identity & Access Management

Zero Trust: What is it, why you need it, and how to achieve it

Jul 19, 2023

More organizations have shifted to the cloud, completely transforming the way business is done. For many, the days of solely relying on big on-premise data centers are gone, now replaced with a combination of on-premise and cloud-based applications. As the way we store and access data changes, we are forced to come up with new ways to improve infrastructure and keep it secure. That’s where Zero Trust comes in. No matter where you are on your Zero Trust journey — maybe you’ve never heard of it, maybe you want to try it but don’t know where to start, or maybe you’re in the thick of it — we’re here to walk you through five steps that will help you understand Zero Trust and how it can elevate your data security. So what is Zero Trust? Zero Trust is a security concept centered on the belief that organizations should not automatically trust anything inside or outside their perimeters and instead must verify anything and everything trying to connect to their systems before granting access. This vendor-neutral design philosophy allows maximum flexibility in designing infrastructure architecture. Every access request is fully authenticated, authorized, and encrypted before granting access. Lateral movement is prevented through security policies and least privilege (minimum permissions to do your job). Rich intelligence and analytics are utilized to detect and respond to anomalies in real time. The Zero Trust Maturity Model Traditional This level is where most organizations are at today. Companies who are at this stage have not started their Zero Trust journey, and generally have: On-premises identity with static rules and some single sign-on (SSO). Limited visibility available into device compliance, cloud environments, and logins. Advanced At this level, an organization has begun its Zero Trust journey and has started to make some progress. The areas of adoption at this stage are usually: Hybrid identity and finely-tuned policies that gate access to data, apps, and networks. Devices registered and compliant to IT security policies. Networks being segmented and cloud threat protection in place. Analytics that are starting to be used to assess user behavior and proactively identify threats. Optimal Although the Zero Trust journey is never complete, at this stage an organization has made great strides and improvements in security through the adoption of: Cloud identity with real-time analytics and dynamically-gated access to applications, workloads, networks, and data. Data access decisions governed by cloud security policy engines and secured sharing with encryption and tracking. Complete Zero Trust in the network – micro-cloud perimeters, micro-segmentation, and encryption are in place. Implemented automatic threat detection and response. Steps to achieve Zero Trust 1. Define your protect surface Define your protect surface based on the most crucial data, applications, assets, and services elements for your business. 2. Map the information within your surface There are many ways to map transaction flows, and some techniques for defining your protect surface also apply to mapping its transaction flows. 3. Architect a Zero Trust environment As you develop the architecture, keep in mind ease of operation and maintenance, and flexibility to accommodate protect surface and business changes. 4. Create Zero Trust policy Zero Trust policy is based on the Kipling Method. This shows you how to decide whether to allow or block traffic and how to create a security policy that safeguards each protect surface. Who should access a resource? What application is used to access the resource? When do users access the resource? Where is the resource located? Why is the data accessed — what is the data’s value if lost (toxicity)? How should you allow access to the resource? 5. Monitor and maintain Security is a continuous process as logging and monitoring will reveal needed improvements to make to your policies are your business and infrastructure change. Follow the operational processes you developed when architecting the network to maintain and continually update prevention controls. Running the Zero Trust marathon Zero Trust is a marathon, not a sprint. Since it is not a vendor-specific model, you have the ability to adopt this model utilizing a number of different vendors. If you are ready to start your Zero Trust journey or want to talk about where you’re at, reach out to us today.

Gone phishing: The importance of security awareness training for employees

Jul 20, 2021

Are you spending increasing amounts of time reacting to incidents where an end-user clicked on something, downloaded an unknown file, or entered credentials for a document they thought a coworker sent to them? It’s not just you. A recent survey confirmed that cybersecurity threats are on the rise. 53% of IT professionals surveyed indicated an increase in phishing activity since the start of the COVID-19 pandemic. With remote work continuing for many employees, IT departments find themselves playing defense against these cyberthreats. Sophisticated phishing techniques can catch even the most well-meaning employees off guard. Regardless of how your network is monitored, secured, and maintained, the “human firewall” can be the weakest link in the chain. To combat this, practical security awareness training has become vital. The need for security awareness training Security awareness training is necessary to teach employees how to identify potential threats. All employees, regardless of job title and function, are susceptible to attacks. A 2020 MediaPRO and Osterman Research study found that only 17% of employees are very confident that they can identify a social engineering attack, while more than one-quarter of employees (28%) admitted a lack of confidence in identifying a phishing email. Because company information is readily available through mobile devices, tablets, and laptops, there is always a risk of accidental exposure. Offhand clicks, done without hovering over a link, can spell disaster. Even two-factor authentication isn’t safe from social engineering schemes to obtain passwords and logins. Importance of security-minded culture Establishing a culture of security-minded employees goes beyond learning modules and quizzes. Security is the responsibility of all employees that have access to corporate systems. Awareness and training are ongoing activities, not a checkbox to complete once a year. By recognizing good behavior (i.e., thanking employees for forwarding suspicious emails along to the Help Desk), you can continuously instill the importance of each employee’s part to protect the company. You should use all incidents as teachable moments. But there are some other, less obvious benefits of the security-minded culture. A security-minded culture protects assets The average cost of a data breach in 2020 was a staggering $3.86M. Companies need to defend themselves by helping to increase the effectiveness of the “human firewall.” A security-minded culture empowers employees Security awareness training can reduce human error and empower your staff to know when an incident is happening. By preparing employees and enabling them to take action (i.e., feeling comfortable saying no when a caller posing as an executive requests sensitive passwords), you will improve employee reaction time and empower your organization’s employees to make decisions to help the organization. A security-minded culture prevents downtime Time is money, and downtime can create a significant loss of revenue. When an incident occurs, systems can be taken offline to properly investigate and recover from an incident. If your employees are more security-minded, there will be fewer incidents that cause downtime. A security-minded culture ensures compliance Some industries have enhanced scrutiny for employee security awareness. Conducting training ensures that you meet regulations and show that you are doing your due diligence as an employer and vendor. How to build a successful security awareness training program Creating, or even improving your security awareness training program, doesn’t have to be a massive undertaking. Because this subject is so top-of-mind, you might find that now is the perfect opportunity to engage your organization and use the momentum to your advantage. Here are some steps to get you started: Step 1: Gain stakeholder backing Unfortunately, security can be viewed as a low-value cost center. It is crucial to make sure your program has senior leadership support. Providing research data and your current metrics on the current number of phishing emails your organization receives can help you explain the need for investment. Step 2: Define security awareness education goals Not all organizations will have the same plans for the subject matter, employee participation, and education methods. Identify security training that meets the needs of your business. Step 3: Assess your audience Because security is an organizational issue, your audience probably consists of a wide variety of backgrounds and skillsets. Not everyone going through training is well-versed in cybersecurity, and not everyone learns the same way. Get to know your audience and ensure you are aiming to meet their needs. Step 4: Develop a program The education you provide could be administered in many ways, including learning management modules, presentations, and onsite Q&A sessions. Your company should also be performing regular phishing tests to simulate outside threats. Step 5: Perform ongoing training Awareness training is not something that should just be done annually, but rather something that takes place on a regular cadence that makes sense for your organization. Making security guidance and education routine ensures that your employees keep up to date. Emerging threats are continuously discovered. Your company culture and meeting cadence can best determine the frequency and methods that work for you. Step 6: Track results Metrics provide insight into the effectiveness of the training, as well as provide measurable reports to leadership. Successful training will lead to more reported incidents as employees become more aware. The percentage of employees who have completed training, number of phishing exercises, and total real phishing threats detected are significant numbers to measure. Gone phishing Security awareness training is an essential part of any IT strategy, and one that you can’t afford to put off. Remote work paired with an increase in phishing threats creates a dangerous liability for your organization. All employees, regardless of position, need training to prevent a security incident. Find out more about how Fusion Alliance works with clients to improve security awareness: We partnered with a large, Ohio-based utility company to reduce the risk created when employees use their personal devices at work.

Reduce security breaches: How Cloud Identity as a Service can benefit you

Apr 28, 2021

Moving your business to the cloud is inevitable. And it is critical that you can keep your data, your employees’ data, and your clients’ data safe. Global insurance carrier Hiscox reports the average cost to recover from a data breach is $200,000, whereas a study by the Ponemon Institute (sponsored by IBM) estimates the average cost to be $3.92 million. With data and applications now largely in the cloud and an onslaught of mobile-workplace devices accessing your systems, the focus is no longer on the network. Identity and access are now center stage, and the weight of effectively managing these in the cloud is on your shoulders. But it doesn’t have to be. Cloud Identity as a Service (IDaaS) is a cloud-based subscription where you pay a third party to manage your identities and access in the cloud, over the internet. In this article, we’ll explain how identity and access management through IDaaS can benefit your company, and you’ll learn about three factors you need to consider before you choose a platform. Why Cloud Identity as a Service? With 90% of companies in the cloud, Cloud Identity as a Service platforms have made it easier than ever to provide commercial and enterprise customers with rich and highly secure web experiences across many applications. Whether your customers log in with standard credentials (username and password), social identities (such as Google or Facebook), or their corporate credentials, top vendors such as Microsoft, AWS, Okta, and Auth0 all provide the ability to natively authenticate with dozens of providers. Companies prefer to offload identity and access management because IDaaS costs less than you would pay to repair a breach and mitigate damage. While estimates vary greatly (depending on many variables, including the type of hack, degree of connectivity, and how the study defines “recovering” from a beach), the bottom line is that a single company’s internal resources are no match for the expertise and layers of security measures implemented by cloud providers. So where do you start? 95% of security breaches in the cloud will be caused by customers. Gartner prediction 4 benefits to implementing a cloud identity platform Here are the top four ways your company will benefit from a cloud identity platform: 1. Improve total cost of ownership and reduce risk Your company no longer needs to store sensitive passwords in a database, stay up to speed on the latest cryptographic algorithms, or implement the latest single sign-on protocols. This is all managed for you in the cloud identity platform. 2. One login across multiple services As companies move away from the monolithic application to the microservice, it’s becoming more painful to manage authentication across services. Token-based, single sign-on allows users to move seamlessly across applications and services within your organization. 3. Corporate and social providers easily accommodated IT departments are mandating corporate vendors and partners honor their corporate credentials for accessing web-based systems. Cloud identity platforms make this simple by supporting standard protocols like OpenID Connect and SAML to onboard new customers in a matter of hours. 4. Decreased risk through multi-factor and password-less authentication Passwords are insecure. At its Ignite conference in 2020, Microsoft revealed that it now has over 150 million users authenticating without passwords, and the world is a more secure place because of it. This is made possible by leveraging other modes of authentication such as mobile-based one-time passcodes and authenticator apps that allow users to verify their identity by what they have, not what they know. 3 factors to consider before you choose a cloud identity platform At this point, you might want to start researching your different options. Despite being simple for the end user and administrator, there are some very important design considerations to think about as you compare cloud identity platforms. 1. Price Cost savings is a huge factor for most companies switching to IDaaS. On-site identity management often comes with cost of servers, software costs, maintenance and upgrade fees, and the cost to actually manage the security. But IDaaS saves you from all of that − typically you’re simply paying for the subscription fee. The subscription will look different depending on how you’re planning to use the platform, and going into the conversation knowing what you want can allow you to only pay for what you need (e.g., number of identities, frequency of authentication, etc.). 2. Configuration options All vendors, either loosely or strictly, conform to the standard OAuth and OpenID Connect protocols for issuing tokens. Unfortunately, some vendors introduce their own terminology, and the specification itself is lengthy and complex. If misconfigured, it is far too easy to end up with a system that is unmaintainable at best and insecure at worst. Having a trusted partner who has implemented these systems is key to success. 3. Additional security features The top vendors also include advanced security features, such as brute-force detection, anomaly detection, breached passwords, and advanced logging and analytics. All of these features give you and your customers added protection against attackers trying to gain access to your systems. You’ll have improved cybersecurity and be saving time with fewer password resets and faster logins. What’s next? With all of your data moving to the cloud, and employees and clients conducting business on personal devices, how can you make it work for you? Cloud Identity as a Service can be the answer. So, if you’re ready to move to a platform that delivers the security and peace of mind you need for your business, or just want to figure out where to start, talk to us.

Insights

Insights

Articles about Identity & Access Management

Zero Trust: What is it, why you need it, and how to achieve it

The future of identity & access management

Gone phishing: The importance of security awareness training for employees

Reduce security breaches: How Cloud Identity as a Service can benefit you

Ready To Talk?

About Us

Quick Links

Stay in Touch

Contact Us