AWS CISO urges companies to adopt a zero-trust security approach

Steve Schmidt outlines how his entire security strategy is based around the zero-trust philosophy

Organisations should embrace the philosophy and principles of zero-trust security to keep up to date with modern demands and security threats, AWS’ chief information security officer (CISO) Steve Schmidt has urged.

Adopting the core tenets of a zero-trust philosophy, including accessibility and usability, and ensuring you’re focusing on the core fundamentals of security, will ensure businesses can eliminate needless risks in their IT estates.

Doing so, however, isn’t as straightforward as businesses may hope, according to Schmidt. This is because the term ‘zero-trust’ can mean different things in different contexts, with this ambiguity the product of a diversity of use cases to which it applies.

“Zero-trust is, to me, a set of mechanisms that focus on providing security controls around digital access and assets while not solely depending on traditional network controls or network perimeters,” he explained, speaking at AWS re:Invent 2020. 

“In other words, we aren’t going to trust a user based only on their location within a traditional network. Instead, we want to augment network-centric models with additional techniques, which we would describe as identity-centric controls.”

An example of one such use case that he provided was human-to-application security, which is particularly relevant given the surge in people working from home in 2020. Traditionally, applications sat behind a virtual private network (VPN) front door, but these aren’t compatible with the diversity of devices that workers use to access work-related services. Applying zero-trust principles generates the objective to make the locks on applications effective enough that you can eliminate a VPN-based front door altogether.

Zero-trust principles have become far more popular across the industry of late, with a number of companies quick to adopt and promote this philosophy either as part of their own strategies or in their products. 

BlackBerry, for example, announced Persona Desktop in October, a security platform that uses artificial intelligence (AI) and machine learning to detect user and entity behaviour abnormalities. Persona Desktop works at the endpoint, and eliminates the need to share data back to the cloud before the system acts, and also aims to protect against stolen credentials, insider threats, and physical compromise.

Related Resource

Securing a remote workforce with a zero-trust strategy

Why zero-trust is the latest foundational cyber security construct for the modern workplace

Download now

Google, too, launched a zero-trust remote access service known as BeyondCorp Remote Access earlier this year that’s designed to give remote teams access to their internal applications without the need for a VPN.

As part of Schmidt’s outline of AWS’ security strategy, he also proposed a set of questions that businesses and IT administrators should ask about their organisation’s security configuration. Elements such as where the perimeter is, and how large it is, as well as how easy it might be to monitor and audit, should be considered. 

Schmidt also, by way of example, suggested that while VPNs are fine to use for network isolation, it would be best to make the implementation dynamic and hidden from the user experience. This might lead to users not even noticing that network boundaries are being created and torn down as required.

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

How LogPoint uses MITRE ATT&CK
Whitepaper

How LogPoint uses MITRE ATT&CK

15 Jan 2021
Weekly threat roundup: Microsoft Defender, Adobe, Mimecast
vulnerability

Weekly threat roundup: Microsoft Defender, Adobe, Mimecast

14 Jan 2021
Mimecast admits hackers accessed users’ Microsoft accounts
Security

Mimecast admits hackers accessed users’ Microsoft accounts

13 Jan 2021
What is public key infrastructure (PKI)?
Security

What is public key infrastructure (PKI)?

12 Jan 2021

Most Popular

IT retailer faces €10.4m GDPR fine for employee surveillance
General Data Protection Regulation (GDPR)

IT retailer faces €10.4m GDPR fine for employee surveillance

18 Jan 2021
Citrix buys Slack competitor Wrike in record $2.25bn deal
collaboration

Citrix buys Slack competitor Wrike in record $2.25bn deal

19 Jan 2021
Should IT departments call time on WhatsApp?
communications

Should IT departments call time on WhatsApp?

15 Jan 2021