When Implementing Zero Trust, Context Is Everything
By Aarti Borkar | 4 minute read
Context is an essential element in everything we do. Context is what helps us make decisions. Imagine you’re sitting outside having lunch and you hear a loud rumbling. You may ask yourself, “Was that just a loud truck driving by or an approaching storm?” You look up and see dark clouds. Still could be a truck. Then the wind starts to blow and the rain begins and you know it’s time to seek shelter. The combination of information provides the context required to make a decision.
It’s the same in business. Say a device is trying to access financial data on your network. You need context to know if this is an employee or a threat. The device belongs to an employee based in the U.S., but it’s connecting from Japan. Authentication controls and identity governance provide information to prove that employee is legitimate. Device management confirms that the laptop the employee is using has the latest security updates. Data security provides additional information about who can access financial resources. Network microsegmentation limits this employee’s use to these types of resources.
All of these security disciplines provide different information to (securely) connect that employee with the data they need to do their job. So why, with all these layers of protection, are we still experiencing expensive breaches?
Individually, each of these disciplines provides valuable information about what is happening. However, this information on its own is not enough to verify the legitimacy of this request or make a decision regarding access.
It’s important to note here the differences between information and context. While reliant on one another, information and context are not synonymous. Information provides data points that are essential for decision-making, but without context, information is essentially meaningless. Context is your measuring stick.
Consider our example above about the employee trying to access financial data on the network. Information provides details about the device, the user and the data they are accessing. However, what’s missing is whether that employee should have access to that specific data, from that particular device or location. What’s missing is context. Without it, we have an incomplete picture of risk, which means different teams may interpret and respond to this request differently.
Again, taken individually, much of the information required to drive decisions are already in place with the various disciplines. Data security and identity controls, for example, will take into account the employee’s role and location before granting access. Device management will provide context of whether or not that employee’s systems are secure. The network security team may have created microsegments or perimeters around specific data for employees. However, the rules for what’s accepted or not are different for each group.
So the problem isn’t a lack of information; it’s a lack of context. Put another way, information from individual security disciplines needs to be shared in order to generate the right context for making important decisions about which users, data and resources should be connected. Security disciplines operating in silos is not a new concept. However, as business evolves — as we are seeing in response to the current pandemic — the challenges of siloed security manifest in new ways.
In the current business environment, there are multiple types of users with different goals and needs accessing resources. Employees are logging in from laptops where they control the security update. External users such as suppliers and partners need access to site resources such as food service systems, HVAC applications or inventory databases. Even customers and clients require some level of access to corporate information.
It’s a lot of resources to manage and a lot of connections to verify. To make it even more complex, the move to a hybrid, multicloud infrastructure means those resources can be scattered throughout multiple IT environments with varying levels of visibility and control.
Trying to juggle the information needed to securely connect all of these users, data and resources is difficult to do well, which ties into why many organizations are considering adopting a Zero Trust strategy. A Zero Trust strategy can help organizations manage the risks of this disconnected business environment, allowing users just enough access to the appropriate resources. While this is a great strategy, putting it into practice means organizations need to be clear on what the conditions are and apply them consistently across the business. This requires context.
Sharing context between security silos is the bedrock of a successful Zero Trust implementation. Defining context — or in other words, setting context-based policies that reach across all security disciplines — is a critical first step to a Zero Trust strategy. Without establishing this baseline for making decisions, the same rules could be interpreted differently by each security department within the business. This misalignment could introduce friction and open the door for risk into the business. Not to mention, lacking clear-cut rules and context can make it even harder to leverage automation and artificial intelligence (AI) to enhance your security program — but that’s a topic for my next blog.
For now, I’ll leave you with this: A Zero Trust strategy offers a model and plan for securely connecting the right users to the right data at the right time under the right conditions. But context is key.