Mark Lomas speaking about Zero-Trust Trust No One, Trust Nothing. Managing and Mitigating Risk in a Post-GDPR World at Midlands Cyber Security Expo 2019 #midscybersecurity19
9. Devices
• Establish a Compliancy Baseline
• Refine it for different scenarios (trusted, untrusted
etc)
• Ensure automation of response for ‘degraded’
devices
• Integrate the command & control with other aspects
of your IT Security (e.g. Conditional Access)
10. Users & Applications
• Identity Management
• Two / Multi-Factor Authentication, and Single-
Sign-On
• Especially important for cloud applications
• Provide the easiest possible access to
applications
• Convenience reduces the likelihood of shadow IT
11. Data
• Don’t just focus on securing the
infrastructure
• Secure your data too
• Look for data security that ‘sticks’ to the
data.
• Information Protection
• Data Leakage Prevention
Previous versions;
I would highlight the importance of cyber
Anyone can be a target (no matter how small)
I’d talk about a few examples
RansomeWare
Phishing
I’d talk about the changing threat landscape
The threat landscape changes
Our way of working changes
Using new devices
Smartphones
Tablets
Macs .. Chromebooks?
Software is changing too
Pervasive connectivity means software & data everywhere
Users need access from multiple locations
We see the rise of the ‘digital workspace’
No longer tied to an office, the office is wherever you have access to tech
In the past, the perimeter defined a ‘safe zone’
(vs the Internet, which is ‘unsafe’)
Inside your network, your devices were secure, and trusted
Anti-Malware protected the devices
Nothing got past your firewall
Soo all is safe
But as times have changed, our perimeter has become less defined
Users are coming in & out with devise
BYOD
Malware that people might click on that could get past the firewall
It’s not so clear cut.
Plus – people, devices and data can be anywhere
Users working mobile aren’t protected by a corporate permeter.
Infrastructure is increasingly decentralised (cloud, SaaS)
This brings us to the concept of ‘Zero Trust’
The idea here is not to assume safety
Assume that each individual device has a risk profile
That risk profile must be managed
We also have to maage the risk profile of the user too.