Companies today go to greats lengths to meet compliance mandates like SOC 2, ISO-27001, HIPAA and more. They do this to achieve a competitive advantage and also to ensure security. Compliance is undeniably important for the business; however, a compliance report alone is not enough to ensure your organization is protected from cyber attacks. Moreover, in today’s rapidly changing business environment, compliance is not even enough to stay ahead of the competition. In this blog post, we examine how both security and compliance can be achieved with zero trust, in a relatively uncomplicated manner.
This blog post is based on the recent webinar “Compliance is Tough. Zero Trust Can Make It Easier,” which featured special guest AJ Yawn, co-founder and CEO of ByteChek.
Compliance is the act of following industry rules, regulations and standards, which are determined most often by governmental organizations. By achieving compliance, businesses signal to other players in the industry that they are trustworthy and are taking action to avoid damaging incidents like fraud, cyber attacks and other unacceptable behaviour.
In cybersecurity, compliance measures like SOC 2 and HIPAA are intended to ensure data privacy and security by mitigating the risks of data breaches.
Access control is the management and maintenance of permissions to enter and use resources. All compliance cybersecurity frameworks, from SOC 2 to ISO to HIPAA, include aspects of access control. They all need to ensure that the users who are performing activities in a certain environment, are the ones who are supposed to be doing them, and from the places they should be doing them from.
Organizations that want to ensure they are compliant therefore need to solve the problem of access control. But somewhat paradoxically, access control is the most challenging aspect of compliance. This is because it is difficult for organizations to understand who is accessing which resources and to ensure the protection of that access.
Modern cloud architecture and technological environments have made access control even more difficult to secure, because of the distribution of network entry points and the dissolution of the perimeter. The transition to remote work, accelerated by the pandemic, has only added to this problem. Gone are the days when everyone showed up to the office to work, and the logical environment was also the physical one.
In a zero trust approach, organizations shift to a model of continuous authorization. In such a model, policies are not enforced at the network perimeter. Rather, zero trust never assumes inherent trust based on a user, their identity, the device that they're logging in from, or most importantly, the network that they're on. Layer 7 trust is ensured in front of each application and in front of each resource that users are trying to access.
The zero trust approach is based on real, modern types of attacks. Hackers might access networks through VPNs or vulnerable endpoints and then stay in the network for months until they find the keys to the kingdom. But in zero trust security, the network perimeter is irrelevant. Instead, identity is the new perimeter, and permissions are provided based on authorization of that identity, each and every time they access a network app or asset. Thus, risk mitigation is assured.
It’s easy to see how zero trust solves the problem of secure access to the workforce, even when people are working from home with changing IPs. This even includes developers, who need to reach the production environment remotely. Zero trust will authorize identities and impose controls on sessions accordingly. For example, by validating that users are allowed to copy files, use port forwarding, operate at the SSH protocol level, etc.
When shifting to the zero trust model, compliance ultimately solves itself. Zero trust answers the question of how to deal with access management and secure access. Here at Cyolo, implementing our own zero trust solution – or eating our own dog food, if you will – helped us achieve SOC 2 compliance.
With zero trust we are able to:
Implement all access controls
Access our own production environment securely
Monitor our actions through an audit trail
Implement PAM and supervised access
Give every employee the access they need, and nothing more
When implementing controls to achieve compliance, it’s important to remember that being compliant does not inherently make you secure. However, companies that focus on security - will be compliant. Therefore, we highly recommend looking ahead at security and building a plan for implementing zero trust.
The harbinger of the importance of zero trust for security (even though it is not required for compliance yet) is US President Biden's recent Cybersecurity Executive Order. The order requires federal agencies to implement a zero trust approach. In the long run, this will require organizations that do business with such agencies to implement zero trust as well. Instead of waiting for an official mandate and then scrambling to catch up, it’s preferable to begin the journey now. This will allow you to be prepared when zero trust becomes the required baseline.
By implementing zero trust now, organizations can turn security into a competitive differentiator. Having a compliance report is not enough to stand out from competitors. But, showing customers how the controls are addressed, e.g. by turning on multi-factor authentication (MFA) for all actions, demonstrates security superiority compared to other companies in your field.
Zero trust helps reduce risk by addressing all access control requirements, including privileged access management (PAM), in a better and more secure way than compliance regulations require. This is done by continuously authorizing users and identities when they access network assets and resources.
Zero trust also provides visibility and traceability into what users are doing within their application sessions. Being able to see who did what, where, and when, including a video session recording, provides a valuable audit trail that can be used for real-time session monitoring as well as investigation in the case of an attack.
This monitoring capability also provides the ability to implement supervised access, i.e granting a less trusted user temporary access to a highly privileged application. In the case of a third party or lower level employee, supervised access can be activated, and the manager can even monitor the session.
Implementing zero trust might sound overwhelming or even scary, especially for your end users. To ensure that it isn't, it’s critical to ensure that your chosen solution accommodates the way your users are used to working. This can be achieved in two ways.
First, the zero trust security layer should be transparent to employees. Instead of imposing a new workflow or bulky login process, the solution needs to run smoothly in the background. Preferably, users would not even know there is a zero trust connectivity layer in place.
Second, policy management should be simplified. That’s why, in Cyolo we offer a transition model. In this model, organizations use Cyolo for a specific use case for a few weeks. When we learn the actions they take and the habits of employees, we can suggest an ideal policy. The policy is built in a way that enables the admin to fix it on the fly, if needed. Then Cyolo can be expanded to accommodate more and more use cases.
Zero trust is a journey. By implementing zero trust, companies like yours can dramatically reduce the level of effort, cost, time and energy it takes to get compliant. In addition, they are positioning themselves as a forward-looking, secure organization that is able to mitigate modern risks in the most advanced way possible. Implement zero trust today, to simplify your path to both compliance and security.
To learn more about the relationship between compliance and zero trust, watch this on-demand webinar or schedule a demo with a Cyolo expert.
Author
Jennifer Tullman-Botzer is a cybersecurity nerd by day and a history nerd by night. She has over a decade of experience in cybersecurity marketing and is as tired as you are of hackers-in-hoodies stock images. Jennifer joined Cyolo in 2021 and currently serves as Head of Content. Prior to Cyolo, she worked in a variety of marketing roles at IBM Security. She lives in Tel Aviv, Israel.