Sign up to save your podcasts
Or
Share Ep. 82 Headlines in Cybersecurity–What States Should Know, Day 3: Moving to Zero Trust
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Ep. 82 Headlines in Cybersecurity–What States Should Know, Day 3: Moving to Zero Trust
The three subject matter experts in this discussion give the listener a wonderful perspective on challenges and solutions to moving to Zero Trust.
The interview revolves around tools needed to audit a network, risks inherent in a hybrid cloud, a why a Zero trust platform gives an agency the flexibility it needs to deploy zero trust effectively.
Every discussion about zero trust for government agencies starts with trying to determine what is on your network. Smurti Shah from Michigan notes that tools that commercial organizations can use to accomplish that task may not work in a government environment. Therefore, State and local organizations must select Governance, Risk, and Compliance (GRC) solutions that are permitted.
Ian Farquhar from Gigamon brings up a fascinating issue with the “discovery” aspect of network analysis: cognitive bias. For example, a systems administrator may swear on a stack of bibles that they have documented every single item on the network. Ian mentions simple questions like: What about that copier? Does it ever have sensitive documents on it? What about the printer? If your organization allows employees to bring in devices, what kind of security implications does that bring?
During the discussion, the concept of “trust” was unpacked. We know that trust applies to “who” and “what,” but what about the system itself? Ian Farquhar applies trust to logging and Cloud Service Providers (CSPs).
The Solar Winds event looks like it started with the modification of the logs themselves. If you trust the logs, then you can be vulnerable to attack, one should apply zero trust to log controls.
One approach to minimizing vendor lock-in is to use a hybrid cloud. This adds complexity to an already complicated situation. The CSPs certainly do a wonderful job at telling people about the security of their cloud. Be careful to apply controls to that cloud environment, offloading trust to them can put you at risk.
All participants agreed that zero trust gives the flexibility to handle attacks today and in the future.
View all episodes
By FedInsider
5
55 ratings
The three subject matter experts in this discussion give the listener a wonderful perspective on challenges and solutions to moving to Zero Trust.
The interview revolves around tools needed to audit a network, risks inherent in a hybrid cloud, a why a Zero trust platform gives an agency the flexibility it needs to deploy zero trust effectively.
Every discussion about zero trust for government agencies starts with trying to determine what is on your network. Smurti Shah from Michigan notes that tools that commercial organizations can use to accomplish that task may not work in a government environment. Therefore, State and local organizations must select Governance, Risk, and Compliance (GRC) solutions that are permitted.
Ian Farquhar from Gigamon brings up a fascinating issue with the “discovery” aspect of network analysis: cognitive bias. For example, a systems administrator may swear on a stack of bibles that they have documented every single item on the network. Ian mentions simple questions like: What about that copier? Does it ever have sensitive documents on it? What about the printer? If your organization allows employees to bring in devices, what kind of security implications does that bring?
During the discussion, the concept of “trust” was unpacked. We know that trust applies to “who” and “what,” but what about the system itself? Ian Farquhar applies trust to logging and Cloud Service Providers (CSPs).
The Solar Winds event looks like it started with the modification of the logs themselves. If you trust the logs, then you can be vulnerable to attack, one should apply zero trust to log controls.
One approach to minimizing vendor lock-in is to use a hybrid cloud. This adds complexity to an already complicated situation. The CSPs certainly do a wonderful job at telling people about the security of their cloud. Be careful to apply controls to that cloud environment, offloading trust to them can put you at risk.
All participants agreed that zero trust gives the flexibility to handle attacks today and in the future.