Zero Trust – What Is It and Should You Care?

PrivacySecurity
September 29, 2022

Zero Trust – What Is It and Should You Care?

Zero Trust is a term that gets thrown around a lot, but what does it actually mean? Zero Trust is a security framework that at a macro level is as simple as the name suggests; you “never trust, always verify” – meaning no user or application is trusted by default. Identity must be verified continuously for access to any of an organization’s assets. What this fundamentally means is that you can’t assume that users or applications inside your network are who they say they are. This has become more relevant as the traditional network perimeter has been replaced increasingly by cloud environments and employees in work from home (WFH) environments. There are numerous ways a Zero Trust architecture can add value to an organization’s data and security infrastructure, especially considering one of its core pillars is focusing on proper policy execution and implementation.

With the rise of decentralized workforces, and less defined network perimeters, there is an evolving need to change how we think about defense in depth. No longer is it sufficient to think about firewalls, and DMZs, and that’s where trust-based security comes into play. Identity, and its continuous verification become the new perimeter. In an ideal environment, even if an attacker is able to breach the network, they should find themselves relatively limited in their access as each account, application, and user require continuous verification. If a remote worker’s account is compromised, the breach should be limited to only their account and the attacker should find limited usable data while struggling to move laterally through the network to get a more advantageous foothold. A similar result can be achieved through operational excellence in implementing least privilege and user access controls. Least privilege is the concept that a user account, application, or process should only have those privileges that are essential for its intended function and nothing more. Access controls are intended to verify a user’s identity and to limit access of resources and information to only those users, applications, and processes which are authorized. While there are many tools out there that can help you achieve Zero Trust, the principles are rooted in controls you should already be practicing like the principle of least privilege and user access controls. 

While some enterprise level organizations may apply complex behavioral data and analysis run through Security Information and Event Managers (SIEMs) to enhance and build out their trust-based security posture, any organization can create a reliable trust-based security posture with the right policies and buy-in. To achieve this, you’ll need to be applying the principle of least privilege, implementing access control systems, and regularly reviewing these permissions and policies. You’ll also likely need to employ a Mobile Device Management (MDM) tool to ensure that all devices are in compliance with your trust-based security posture. Failure to enforce other basic security practices such as maintaining encryption when data is at rest, could jeopardize the effectiveness of your trust-based security posture. It is always a good idea to routinely perform internal security audits to identify any additional shortcomings in your security posture and practices.

Still confused? CyberData Pros can work with your team on an internal audit and data mapping exercise to help you better understand your company’s posture. We will then classify your data and help you put together an action plan. Contact us now for a free consultation and to learn more about our services.

 

read more
DocumentationPrivacySecurity
September 19, 2022

Risk Controls: What Are They and Do You Have Them?

So what are Risk Controls? Put simply, they’re a defined set of proactive steps or strategies that entities use to address risks to their business. These risks can include anything from technical and compliance concerns like data privacy and cybersecurity all the way to natural disasters and financial losses. These controls are an integral part of the larger risk management process that all businesses have to consider. While this process as a whole encompasses the identification, evaluation, prioritization, and remediation of risks, these controls serve as the answer to that all-important question at the end of the day; How do we fix it? Let’s take a look at the 5 typical classifications of risk controls- Remediation, Avoidance, Transference, Mitigation, and Acceptance- to see exactly how they answer that question, and how you might be able to use them within your own organization. 

Starting off, we have Remediation. This is a control that, when implemented, eliminates most if not all of an identified risk. This is a great strategy to adopt in instances like a software vulnerability where a patch or update can be applied. It’s quick, effective, and inexpensive to implement. While remediation may seem like an obvious strategy for a number of risks, there can often be a number of factors that prevent it from being a viable solution. Another control, Avoidance, can be a great way to fill some of those gaps. Rather than saying, ‘If there is an issue, we will fix it”, the concept of Risk Avoidance focuses on eliminating non-critical systems or processes entirely, preventing the proliferation of risk before it can occur at all. This strategy can offer some fantastic benefits like cost savings and reduced organizational complexity, but like remediation it’s no catch-all solution. There are plenty of risks that are simply inherent to the core of many businesses and are thus inevitable. So what can we do about it?

Mitigation, also referred to as Reduction, is a great strategy to apply in situations with inherent risk, as it seeks to lessen the likelihood of the risk being exploited. This type of control is typically most viable in unavoidable situations where there are steps that can be taken that will greatly diminish the risk but none that can remediate it completely. Scenarios like this often occur when there are known vulnerabilities within critical systems that are too important to be removed, so an organization tries to lessen the likelihood of that risk being realized through additional controls such as firewalls or antivirus software.

So what if you’re a small business and these strategies are too expensive or complex for your organization to implement with its limited resources? Well, Transference could be just the thing for you. This control essentially passes risks to a third party, like a service vendor or insurance company. By utilizing vendors for high-risk business functions, like servers and physical security, an organization can push the assessed risk to the vendor to manage. In the case of insurance, transferring risks materializes with the recovery of the costs associated with them, should an incident occur. 

Now, let’s face it; in the real world, there just isn’t always a simple, easy, or inexpensive solution for everything. In these cases, Acceptance is a risk control that doesn’t try to reduce the risk at all. Rather, Acceptance takes the cost and complexities of the other risk controls and weighs that against the costs and consequences of the risk itself. If the cost and complexity of controlling the risk outweigh that of the risk itself being realized, the most pertinent control may be to simply accept the risk as it stands. Typically, this option is only considered when the consequences of the risk are relatively low. For example, Acceptance would not be a viable strategy for business critical systems. Understanding the differences in these situations and how to apply the proper control is critical to effective risk management and governance. The modern business landscape is ever changing, which is why risk management should be a continuous, evolving part of an organization’s infrastructure. By continuously monitoring and assessing new and even previously identified risks and controls, you can rest easy knowing that your organization is managing its risks to the best of its ability.

CyberData Pros can run a risk assessment to determine your company’s risks. We will then classify them and help you put together an action plan. Contact us now for a free consultation and to learn more about our services.

read more
DocumentationSecurity
September 12, 2022

Proactivity Pays – Why Wait for Clients to Request ISO 27001 or SOC 2?

In a rapidly evolving digital world, the bar for an effective security posture seems to keep rising higher and higher. New threats are emerging constantly, and new policies and controls are required to keep them at bay. Secure practices are unfailingly an expectation of clients and authorities alike, but maintaining them is growing increasingly difficult. Already there are so many best practices to abide by that the task of organizing and accounting for them alone becomes overwhelming. Given these considerations, it’s no surprise that businesses around the world are increasingly looking toward implementing security frameworks like ISO 27001 and SOC 2. 

Not only do these standards provide organizations a guide to forming a current and robust information security system and controls, but the attestations they provide can be a tremendous asset for attracting business. There’s no need to wait for a client’s prompting – by jumping on these frameworks early, you maximize the benefits you can reap from them. Here’s a look at the industry’s most recognized frameworks, and what implementing them can do for your organization right now.

ISO 27001

When speaking about any sort of business standards internationally, ISO is a name you’ll see often. Its parent organization is the International Organization for Standardization, and 27001 is their standard for Information Security Management Systems. It outlines a thorough set of criteria an organization should meet when constructing and refining a water-tight security framework, and a certification can be received affirming this after an audit. ISO 27001 certifications are coveted across the globe, with ISO’s latest survey showing a global 24.7% increase in certificates active over 2020 alone. If you’re looking to build or reinforce your ISMS and/or operate overseas and under GDPR, look to ISO 27001.

SOC 2

Narrowing the scope to North American operations, SOC 2 serves as a substantial boon for strengthening controls. Its parent organization is the American Institute of Certified Public Accountants, and SOC 2 is their method of validating the security of various business controls under five major Trust Services: Confidentiality, Processing Integrity, Availability, Privacy, and Security. Of these criteria, only Security is mandatory when filing for attestation, leaving this process flexible and more form-fitting, giving users room to choose which controls to demonstrate compliance in. If you’re wishing to reinforce your operational business controls and prove your compliance in your industry, consider SOC 2.

What Compliance Can Do for You

With a better understanding of what these frameworks are, you might be left to wonder what pursuing one might do for your business. Compliance is great, but why not just wait until someone asks for it? Well, for starters, you may well be too late at that point. From preparation to attestation, SOC 2 typically takes over three months and ISO 27001 often takes north of nine months to a year to attain. Past that, simply preparing for and holding these frameworks generates value for your business in a myriad of ways. Here are some to consider:

  • Attract clients with well-regarded attestations, stand out from competitors and win more business.
  • Bolster your security posture to exacting modern standards, reducing your risk of costly incidents, fines, and breaches.
  • Create an efficient information security structure that streamlines workflows and can scale with your growth.
  • Demonstrate a consciousness toward data privacy and security, boosting your organization’s reputation.

The benefits outlined above can be seen not just after receiving attestation for the standards, but begin to form as soon as progress towards the criteria begins. Building and refining better frameworks and controls is a gradual process, but you will undoubtedly benefit from the improvements made along the way. By beginning your ISO 27001 or SOC 2 process now, you will not only find yourself far better equipped to withstand threats to your business, but more attractive to prospective partners and clients.

Let CyberData Pros help you understand where your data sits, access control, and how to protect that data. Contact us now for a free consultation and to learn more about our services.

read more