Data with an open lock
| |

Linked – Why companies need to implement a ‘zero trust’ approach to their cybersecurity model

ByMike McBride Reading Time: 2 minutes

This is not as easy as he makes it sound:

And then lastly is learning from all these three elements – the user, the device, the least privilege, and adapting your policies. So it’s a constant learning and adapting, changing the policies. For instance, if Jane never executes certain commands on a Unix machine, let’s dial down the policies so she can never run them. If Bill never accesses certain reports on Salesforce.com, let’s dial them down as well. So it’s really a concept of least privilege.

The concept of least privilege is the best security measure there is, I totally agree with that. Stolen credentials are the leading cause of breaches, and the less anyone has access to, the less damage can be done by having a single compromised account. But, it’s also a pain in the ass. Things change, and what people need access to changes, all the time. Users don’t see this as a proper security measure, they see it as not having access to things they might need at any given time, and then having to wait for a process to complete before they can do the thing that they’ve not had to do before.

In a law firm, for example, where you have a bunch of “owners” who are not exactly known for their patience, this becomes a source of great tension between those owners and the IT department. The security team becomes an obstacle to doing what the lawyers want to do, but that isn’t because the security team is being difficult, it’s because getting access to something new should be a bit of a chore. There should be a valid reason for a user to be granted access to something more than they normally have access to. If it isn’t so, than stealing a credential, logging in as that user, and escalating their rights via the process would be too easy.

That’s not very good security. Good security puts up roadblocks to that sort of thing, and users need to be educated about that reality, instead of angry they have to jump through hoops.

The hoops are there for a reason.

https://www.techrepublic.com/article/why-companies-need-to-implement-a-zero-trust-approach-to-their-cybersecurity-model/

Similar Posts

  • Round up

    ByMike McBride Reading Time: 1 minute

    Links to interesting things: DDNS Service to block faulty Linksys routers. Yahoo! IM contains security flaw. Keeping it fun -Kevin makes a good point! Lockergnome releases shareware feedreader Follow these topics: Uncategorized

  • Fake Antivirus Warnings

    ByMike McBride Reading Time: 1 minute

    I’m sure many of you working in IT have seen Antivirus2009, or 2008 as the case may have been. It’s a fake antivirus app that gets installed as malware and does who knows what all to an infected PC. A few weeks ago I hit a site that was serving that junk in an add,…

  • |

    Remaking the Legal Industry

    ByMike McBride Reading Time: 1 minute

    Jordan Furlong has an interesting look at the current economic malaise in the legal industry. He’s convinced the downturn is part of a “regeneration” of law, People will always need lawyers, and lawyers will still be here to do what we do best: counsel, advise, advocate, analyze, facilitate and connect. The legal profession will be…

  • |

    Linked: Talking About Mental Health with Your Employees — Without Overstepping

    ByMike McBride Reading Time: 2 minutes

    Or as I would put it, if you don’t even know my wife’s name, or can’t remember that I don’t have kids, maybe start there before you ask about my mental health, cool?

    Suddenly asking someone you barely know anything about outside of work about mental health, will be a shock, and quite frankly, will seem threatening more than it seems supportive. As in, “why is my boss asking about this? Does she think I’m not doing my job, am I about to get fired?”

    I’m assuming that’s not how you want them to feel, so be thoughtful about how you bring these subjects up. By all means, work up to it, and work up toward helping your reports feel comfortable, but do it in a way that actually works, not in a way that makes them feel less safe.

  • Twitter Hackers Were Smart, But Hardly Genius

    ByMike McBride Reading Time: 2 minutes

    Smart enough to get in, not smart enough to cover their tracks when getting paid. That doesn’t seem so smart. Which goes to show, that security around Twitter could have been a lot better, and people who work there maybe should have been a little less careless. That doesn’t bode well for the rest of us when even a big tech company can’t get this right. How many of us have people on staff who might fall for this kind of phone-based attack?

    What should we think of the complicated, super-smart hackers who also manage to be so easily identifiable? Should we accept that the hardest thing about any conspiracy, and this goes for all the conspiracy theories out there, is making sure one person doesn’t do something stupid and give it all away? That. actually, is nearly impossible, and is the one thing that makes most theories unbelievable to me. This hack proves to be a perfect example.

  • Linked – Investing in middle managers pays off—literally

    ByMike McBride Reading Time: 1 minute

    Great managers are developed by great managers. If you look around your workplace and don’t see great management, senior leaders might want to look at learning how to be great managers and leading by example. If your workplace, like many others, would be better off with far fewer middle managers, it’s likely because there is too much bad management happening. So much, in fact, that it might be better to not have middle managers at all.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

To respond on your own website, enter the URL of your response which should contain a link to this post's permalink URL. Your response will then appear (possibly after moderation) on this page. Want to update or remove your response? Update or delete your post and re-enter your post's URL again. (Find out more about Webmentions.)