By Arthur Moses Opio and Gilbert Nsanzimana
Picking up from the first webinar on Building Blocks For Effective Cybersecurity Organisational Framework Yesterday 28th April 2022, NITA-U had yet another exciting topic on the Principles of Zero Trust. The speaker was Bernard Wanyama and the highlights from the talk are documented below;
"Zero Trust Architecture is a way of approaching cyber security, information security, network security and access control in light of modern threats and challenges and overcoming weaknesses in legacy models" - Bernard Wanyama
While starting his talk, he said the the essence of security today is that you are really trying to work out trust, safe guard it and ensure that is not misplaced especially where human transactions are involved, the more the trust, the more value humans attach.
In regards to the definition of trust, some of the key words are confidence, honesty, ability, accuracy, safety, strength, reliability, etc.
Here thereafter said and we quote;
"Human transactions are guided by the concept of Trust" - Bernard Wanyama
These are the key highlights from the webinar session;
1. Trust but Verify
Mr. Wanyama mentioned that, the "Trust" but "Verify" saying was coined in the 1980s during the cold war by Ronald Reagan.
The "Zero Trust Model" was coined by Forrester Research Analyst and Thought leader John kindervag in 2010. The key thing is to never trust but always verify and all this is based on the assumption that risk is an inherent factor both inside and outside the network.
2. Zero trust Timeline
a) In 1994, Through his Masters Thesis, Paul Marsh came up with the concept on Zero Trust
b) In 2003, The Jericho Forum of CISOs came up with with the idea of doing away with the network perimeter (De-Permiterisation)
b) In 2009, The first large scale Zero trust network architecture build was done by Google, BeyondCorp.
c) In 2010, John Kindervag of the Forrester Analyst coins the Zero-Trust paradigmn as a theme
d) In 2018, US government comes up with the NIST SP 800-207 publication on Zero Trust Architercture
e) In 2021, The Biden administration comes up with a US Federal government mandate.
3.Why does Zero Trust Matter?
He mentioned two key parameters;
a) The human concept of boundaries
b). The evolving nature of risk and threats
"All computer or digital or virtual infrastructure is built upon our understanding of the natural world, that's what motivates and inspires the digital world" - Bernard Wanyama
"Human beings import their biases into digital cyber operations " - Bernard Wanyama
While expounding on the human concept of fences, he mentioned and we quote;
"Walls and perimeters had their limitations, that's why we are having a discussion on the threats and risks today" - Bernard Wanyama
In regards to Landscape SHIFT. He said that the evolving nature of risks and threats is pushing that.
In the workforce, The new targets are on Identity, he said 81% of breaches involved compromised credentials.
In the workloads, The new target is on apps, he said 54% of web app vulnerabilities have a public exploit available
In the workplace, The new target is Devices especially with the advent of Internet of things (IoTs), 300% increase in IoT malware variants.
The Landscape Has Evolved - and he says this is more reason for Zero Trust
"A lot of employees are working outside the perimeter/outside the organization. remote users, cloud applications, third parties." - Bernard Wanyama
"There is a lot of opening up and that results to increased access, attack surface and gaps in visibility " - Bernard Wanyama
"Other people have moved to the cloud without knowing what's there. This results in excessive TRUST being granted, you have business going first while risk management is lagging" - Bernard Wanyama
4. Three Principles of Zero Trust
a) Continuous verification
b) Limit the "Blast Radius"
d) Automate context collection and response
He said and we quote,
"Only grant security access to what a subject needs, if one is moving from one perimeter to another, there must be authentication" - Bernard Wanyama
Trust is Temporary
We were cautioned that trust is temporary and that we should not just grant access without verification, he said this and we quote;
"Just because someone was appointed the ED in the last days, it does not mean that they should not be verified before giving them access to resources requested"
He mentioned these four areas to focus on while knowing that trust is temporary;
a) Focus on protecting data
b) Assume all environments are hostile
c) Authorize and encrypt transactions
d) All activity is logged
5. The Key Takeaways as he concluded were
a) Perimeter no longer exists
b) Identity and credentials are the new perimeter
c) Assume breach
d) Insiders carry the greatest risk(as targets and threats)
While making his last remarks, he said and we quote;
"Insiders carry the greatest risk--as targets and as threats" - Bernard Wanyama
To find out more from this rich discussion, Click This YouTube Video for your viewing.
Follow these key social media handles on Twitter @DICTSMakerere @NITAUganda1 @NITAUgandaED @CERT_UG so that you do not miss out on key information regarding the cyber security webinar series.
Let us build the human firewall, we are better off safe than sorry.
#InfosecUG #BeSafeOnlineUG