Foreword
Greetings, and welcome to the seventh edition of Atos Digital Security Magazine, our forum for views on digital security and trends from Atos and partner experts!
The concept of zero trust was somewhat ambiguous before the Biden administration declared it a strategy in January’s White House Memorandum on Federal Zero Trust Strategy (M-22-09). As a result, US policy now recognizes and endorses zero trust as a foundational tenet of cybersecurity. However, zero trust is still defined primarily by what it is not. It’s not a product, not an appliance, not software, etc.
Through our experience, we know that zero trust is an orchestration of processes and technology for protection in zones where the data owner grants no access or privileges (i.e. “trust”) to any user in the environment where the data exists. However, even that definition is not specific enough to provide meaningful context and guidelines for realizing the full benefits of zero trust.
Trust is never granted implicitly and must be continually evaluated.
Dan Schaupner
Head of Digital Security Consulting, North America
Allen Moffett
Global IAM Practice Lead & CTO
In a zero trust world, there is no perimeter or secure zone. The focus is on the premise that “trust is never granted implicitly and must be continually evaluated.” The actor must be authenticated, authorized and continuously validated before being granted access to applications and data.
Authentication and authorization are no longer discrete events. It is no longer acceptable to trust that the actor you just authenticated is still the one performing the current action. It very well could be a clever impersonator. The actor may be a human (such as an employee or customer), but increasingly, these actors are something else, like a device or a robotic process. These diverse use cases can be complex to properly address end-to-end in a way that provides sufficient controls while adding little or no friction to the action.
When a security control adds too much friction, the actor finds a way to bypass the control or makes a business case for an exception. In the case of a consumer, they will likely go to a competitor that offers a better experience. If the consumer is lucky, the solution is not to weaken the controls over business or customer data. So, how do you validate every step along the way, especially if some of those steps are outsourced and require you to trust a third party?
Finding the right balance between a purist view of zero trust and the costs to implement it must be evaluated in terms of risk — since zero trust solutions can get very expensive very quickly.
In this edition of Atos Digital Security Magazine, our experts will try to resolve the tension between zero trust as an established approach and the varying ways that the cybersecurity industry describes it. The Atos position is that zero trust is necessary for ensuring service delivery, economic stability and individual privacy, as well as compliance and risk management. If you’re not convinced, consider that logistics executives are identifying trust and data sharing as a critical problem in the global supply chain issues we are currently facing. Maybe it’s not too much to say that zero trust can help us solve a significant global economic issue.
June 2022
Be the first to know the latest insights from the market.
The cybersecurity community is growing and is nurtured by the deep knowledge provided by the experts.
Register to our newsletter to be informed first of the release of next editions of Atos Digital Security Magazine.
It is each quarter, free and you can read it anywhere.