What is Zero Trust?
Previous
Girls4Tech
Next
Threatcasting
Zero Trust is a security strategy founded on this principle: You must assume the breach of your network.
Gone are the days of the “castle and moat,” where access is allowed blindly from anywhere within the confines of your network.
Zero Trust calls for organizations to assume that any request for access is from a threat actor — perhaps one who has already crossed the moat, entered the castle and impersonated an employee.
A threat actor who has infiltrated your once-thought-of-as-safe corporate environment tries their best to move across it, exfiltrate data and take down services — everything that keeps a CISO up at night.
Under the Zero Trust model, organizations evaluate access to systems or data based on sources that provide more context around who is accessing what from where.
At Mastercard, we are investing in best practices from groups like CISA,
the U.S. government’s Cybersecurity and Infrastructure Security Agency, which has published well-known examples of using Zero Trust.
Here are some guidelines you can follow:
Focus on the data
The amount of friction involved in accessing data should directly correlate to its level of sensitivity. That way, users will more likely accept the new guardrails.
Warning: You may get pushback. Stakeholders may balk at additional controls and hurdles that you are putting in front of the data you need to protect. However, you can create a tailored approach and implement these hurdles based on the sensitivity of the data. For instance, if the data you are safeguarding is not confidential in nature and does not contain important business data, the access model you define for it should be less restrictive than for more sensitive data.
Define your conditions
Put the pieces together
Communication is key
Focus on the data
Define your conditions
Put the pieces together
Communication is key
After developing a classification model, you must then define conditions on accessing the data. This means using the 4 Ws: who, what, when and where.��Highly confidential data, for instance, may be defined as accessible only from corporate-managed devices, from users who have installed multifactor authentication or from certain jurisdictions. It is highly important that you coordinate these specific requirements with the data owners and your legal departments where necessary.
Focus on the data
Define your conditions
Put the pieces together
Communication is key
Defining your data classification model and access conditions will guide your implementation requirements and, better yet, ensure your conditions are enforceable. ��Your mobile device management platform, for example, must feed your policy engine so that you can detect the type of device and its patch level.��Your behavioral analysis tool should integrate with your access management tool so that you can take appropriate action based on risk. The conditions you set are only as good as your ability to determine whether these conditions are met.
Focus on the data
Define your conditions
Put the pieces together
Communication is key
Access models are likely to add friction to the user experience for both data owners and end users, so setting expectations early and often is critical. ��The security benefits of these hurdles — and the behavioral changes needed to create a safer ecosystem — must be made clear. ��The goal is to make security as invisible and frictionless as possible — without compromising the safety and security of your organization.
Fixing the gap:
The secret to fighting BIN attacks
Focus on the data
Define your conditions
Put the pieces together
Communication is key
Home
Threatcasting
Threatcasting
BIN attacks
BIN attacks
CISO Lessons
CISCO lessons
learned
Ransomware
Ransomware
The Trust Center
The Trust Center
Power of STEM
Power of STEM
Zero Trust
Zero trust
Zero Trust
Threatcasting
BIN Attacks
Ransomware
The Trust Center
Power of STEM
Threatcasting
BIN attacks
CISO Lessons