Neil Thacker is EMEA CISO for SASE provider Netskope with over 20 years’ experience in the information security industry. We recently sat down with Neil to discuss Zero Trust and how companies can approach the issue of trust in this new remote working landscape.
What is Netskope’s philosophy when it comes to adopting Zero Trust in the cloud?
The original principles of Zero Trust focussed on proving the identity of the user and the device, shifting the central tenant of security policies from ‘trust but verify’ to ‘verify then trust’. However, in practice, that is a problematically finite statement; overly permissive in non-static environments while being simultaneously inflexible.
‘Verify then trust’ assumes that, once verified, you are good to go in perpetuity. And, if not verified, then permanent blocking is justified. The first option leaves a significant hole in an organisation’s defences, and the latter will impinge upon business productivity.
At Netskope we believe that what is actually needed in a cloud-first, perimeterless environment, is something that is continuously adapted. The unequivocal verbiage of ‘zero’ is ill-suited in such a nuanced environment. Context is key and trust judgements require insight to effectively determine grades of permission.
Our approach focuses on continuous adaptive trust, using insight to issue and retract dynamic permissions so that organisations can maximise business productivity without any unnecessary exposure.
How has the rise in remote working changed how companies approach this issue?
Traditional remote access VPN solutions have been put under significant pressure as organisations switched en masse to remote working. Many remote access solutions failed because they were not designed for cloud and relied on workarounds and ad hoc routing to enable remote access.
As a result of these challenges, companies are increasingly switching to Zero Trust Network Access (ZTNA), which lowers the risk that malicious insiders or cybercriminals with stolen credentials will gain remote access to an organisation’s networks, applications and data – whether in public or private clouds, or even private data centres.
When delivered in the cloud using a high-capacity global network infrastructure, ZTNA can also enable remote access that scales to meet the needs of any dramatic increase in remote working requirements, without slowing access times or routing data unnecessarily.
How do you balance permission and restriction?
Zero Trust appeals to security professionals because it sounds unequivocally safe and secure. If you don’t trust anyone, you can’t get hurt, but even as security professionals might joke about how much easier our jobs would be without a user base of employees, we must acknowledge that giving access is as much a part of our job as restriction and blocks.
This means that it’s vital to have an approach that is nuanced and context-driven, rather than governed by rigid, inflexible rules.
Taking this kind of continuous adaptive trust approach has three key advantages:
- There are more opportunities to provide some degree of access, to reorient the majority of security decisions away from “no” towards “yes, but with conditions…”
- Inappropriate access is constrained, reducing the fallout zone should an account be compromised
- Security teams have visibility over sensitive data types, locations, and movements
By creating an environment of greater flexibility and adaptability you are better able to manage concerns around access and can communicate the reasons behind why restrictions have been put in place.
Can you explain how SASE supports continually adaptive trust?
Secure Access Service Edge (SASE) is a relatively new architectural model for securing a perimeter-less IT real-estate like the cloud. It brings significant advantages when working on a Zero Trust approach because of the visibility and insights it allows.
Once companies have adopted a SASE architecture, it is possible to create an environment of ‘continuous adaptive trust’ across users, devices, networks, applications and data. The wealth of contextual insight available within a SASE platform removes the requirement to place implicit trust or to base permission decisions on single pieces of information (an IP address for example). Decisions can be based upon a tailored set of constantly reassessed parameters, built using several contextual elements intertwined (e.g. user identity + device identify + time + geolocation + business role + data type).
And because with SASE the security policy follows the data, not the user or device, the resource itself is effectively determining the appropriate level of trust, only for a specific interaction, reassessed each time a parameter changes. For example, a manager may need regular access to a particular data set at the end of the quarter in order to conduct regular analysis but may not need visibility outside of this time period, under a SASE environment the access can be restricted to these strict parameters.
It is clear in this modern cloud environment that evaluating trust at the start of an interaction alone is insufficient. This trust assessment can and should take place during the initial interaction but must continue throughout the lifecycle of an employee no matter how high the rise in the organisation. SASE means that the context of each interaction can be continuously evaluated, so changes can be made to the type of access that is appropriate in real-time.
How can organisations prioritise cloud security without compromising network performance?
Security and networking teams know there is need for closer collaboration, and many are even looking to converge teams and budgets, adopting a SASE (Secure Access Service Edge) architecture as a way to ensure neither performance nor protection is de-prioritised.
But these transitions are not easy. I find that if both teams agree on a joint set of metrics for digital risk, network performance, and user experience at the beginning, it helps to establish a consensus before making any procurement decision or architecture change. Second, the visibility SASE offers can drive greater collaboration by revealing the reality of the business through a whole new set of detailed insights. This then allows teams to identify opportunities for service and policy improvement as well as identifying emerging risks and developing strategies to manage these within a risk appetite.
What role does the workforce have to play in maintaining continually adapting trust?
Information security is something every employee should be conscious of but, while security teams have to ensure they stay on top of new cloud risks and threats, we cannot expect employees to successfully identify and navigate the tenacious efforts of malicious actors without some education.
Maintaining a state of continually adaptive trust can mitigate the impact once a breach happens, but it only takes one simple error or misconfiguration to passively expose sensitive or regulated data, and malicious actors are working hard to make their traps harder for the average employee to spot.
It is our responsibility to equip the workforce to keep data safe, and the traditional take-away message of ‘do not click suspicious links’ is no longer helpful. Raising awareness is the first step but the goal needs to be ‘activation’; when people feel accountable and responsible for security – reaching a point where every employee comes with a mindset of continually adaptive trust, then you are able to mitigate those threats before they even get to the security team.