Article 7: Zero Trust

What is Zero Trust?

Girls4Tech

Threatcasting

Zero Trust is a security strategy founded on this principle: You must assume the breach of your network.

Gone are the days of the “castle and moat,” where access is allowed blindly from anywhere within the confines of your network.

Zero Trust calls for organizations to assume that any request for access is from a threat actor — perhaps one who has already crossed the moat, entered the castle and impersonated an employee.

A threat actor who has infiltrated your once-thought-of-as-safe corporate environment tries their best to move across it, exfiltrate data and take down services — everything that keeps a CISO up at night.

Under the Zero Trust model, organizations evaluate access to systems or data based on sources that provide more context around who is accessing what from where.

At Mastercard, we are investing in best practices from groups like CISA,

the U.S. government’s Cybersecurity and Infrastructure Security Agency, which has published well-known examples of using Zero Trust.

Here are some guidelines you can follow:

Focus on the data

The amount of friction involved in accessing data should directly correlate to its level of sensitivity. That way, users will more likely accept the new guardrails. Warning: You may get pushback. Stakeholders may balk at additional controls and hurdles that you are putting in front of the data you need to protect. However, you can create a tailored approach and implement these hurdles based on the sensitivity of the data. For instance, if the data you are safeguarding is not confidential in nature and does not contain important business data, the access model you define for it should be less restrictive than for more sensitive data.

Define your conditions

Put the pieces together

Communication is key

Focus on the data

Define your conditions

Put the pieces together

Communication is key

After developing a classification model, you must then define conditions on accessing the data. This means using the 4 Ws: who, what, when and where.Highly confidential data, for instance, may be defined as accessible only from corporate-managed devices, from users who have installed multifactor authentication or from certain jurisdictions. It is highly important that you coordinate these specific requirements with the data owners and your legal departments where necessary.

Focus on the data

Define your conditions

Put the pieces together

Communication is key

Defining your data classification model and access conditions will guide your implementation requirements and, better yet, ensure your conditions are enforceable. Your mobile device management platform, for example, must feed your policy engine so that you can detect the type of device and its patch level.Your behavioral analysis tool should integrate with your access management tool so that you can take appropriate action based on risk. The conditions you set are only as good as your ability to determine whether these conditions are met.

Focus on the data

Define your conditions

Put the pieces together

Communication is key

Access models are likely to add friction to the user experience for both data owners and end users, so setting expectations early and often is critical. The security benefits of these hurdles — and the behavioral changes needed to create a safer ecosystem — must be made clear. The goal is to make security as invisible and frictionless as possible — without compromising the safety and security of your organization.

Fixing the gap: The secret to fighting BIN attacks

Focus on the data

Define your conditions

Put the pieces together

Communication is key

Home

Threatcasting

BIN attacks

CISO Lessons

CISCO lessons learned

Ransomware

The Trust Center

Power of STEM

Zero Trust

Zero trust

Zero Trust

Threatcasting

BIN Attacks

Ransomware

The Trust Center

Power of STEM

Threatcasting

BIN attacks

CISO Lessons

What is Zero Trust?

Girls4Tech

Threatcasting

Zero Trust is a security strategy founded on this principle: You must assume the breach of your network.

Here are some guidelines you can follow:

At Mastercard, we are investing in best practices from groups like CISA,

the U.S. government’s Cybersecurity and Infrastructure Security Agency, which has published well-known examples of using Zero Trust.

Focus on the data

Define your conditions

Put the pieces together

Communication is key

Focus on the data

Define your conditions

Put the pieces together

Communication is key

The amount of friction involved in accessing data should directly correlate to its level of sensitivity. That way, users will more likely accept the new guardrails.

Focus on the data

Define your conditions

Put the pieces together

Communication is key

After developing a classification model, you must then define conditions on accessing the data. This means using the 4 Ws: who, what, when and where.

Highly confidential data, for instance, may be defined as accessible only from corporate-managed devices, from users who have installed multifactor authentication or from certain jurisdictions. It is highly important that you coordinate these specific requirements with the data owners and your legal departments where necessary.

Focus on the data

Define your conditions

Put the pieces together

Focus on the data

Define your conditions

Put the pieces together

Communication is key

Home

Threatcasting

BIN attacks

CISO Lessons

CISCO lessons

Ransomware

The Trust Center

Power of STEM

Zero Trust

Zero trust

Zero Trust calls for organizations to assume that any request for access is from a threat actor — perhaps one who has already crossed the moat, entered the castle and impersonated an employee.

Gone are the days of the “castle and moat,” where access is allowed blindly from anywhere within the confines of your network.

Under the Zero Trust model, organizations evaluate access to systems or data based on sources that provide more context around who is accessing what from where.