AWS CISO urges companies to adopt a zero-trust security approach

Steve Schmidt outlines how his entire security strategy is based around the zero-trust philosophy

Organisations should embrace the philosophy and principles of zero-trust security to keep up to date with modern demands and security threats, AWS’ chief information security officer (CISO) Steve Schmidt has urged.

Adopting the core tenets of a zero-trust philosophy, including accessibility and usability, and ensuring you’re focusing on the core fundamentals of security, will ensure businesses can eliminate needless risks in their IT estates.

Doing so, however, isn’t as straightforward as businesses may hope, according to Schmidt. This is because the term ‘zero-trust’ can mean different things in different contexts, with this ambiguity the product of a diversity of use cases to which it applies.

“Zero-trust is, to me, a set of mechanisms that focus on providing security controls around digital access and assets while not solely depending on traditional network controls or network perimeters,” he explained, speaking at AWS re:Invent 2020. 

“In other words, we aren’t going to trust a user based only on their location within a traditional network. Instead, we want to augment network-centric models with additional techniques, which we would describe as identity-centric controls.”

An example of one such use case that he provided was human-to-application security, which is particularly relevant given the surge in people working from home in 2020. Traditionally, applications sat behind a virtual private network (VPN) front door, but these aren’t compatible with the diversity of devices that workers use to access work-related services. Applying zero-trust principles generates the objective to make the locks on applications effective enough that you can eliminate a VPN-based front door altogether.

Zero-trust principles have become far more popular across the industry of late, with a number of companies quick to adopt and promote this philosophy either as part of their own strategies or in their products. 

BlackBerry, for example, announced Persona Desktop in October, a security platform that uses artificial intelligence (AI) and machine learning to detect user and entity behaviour abnormalities. Persona Desktop works at the endpoint, and eliminates the need to share data back to the cloud before the system acts, and also aims to protect against stolen credentials, insider threats, and physical compromise.

Related Resource

Securing a remote workforce with a zero-trust strategy

Why zero-trust is the latest foundational cyber security construct for the modern workplace

Download now

Google, too, launched a zero-trust remote access service known as BeyondCorp Remote Access earlier this year that’s designed to give remote teams access to their internal applications without the need for a VPN.

As part of Schmidt’s outline of AWS’ security strategy, he also proposed a set of questions that businesses and IT administrators should ask about their organisation’s security configuration. Elements such as where the perimeter is, and how large it is, as well as how easy it might be to monitor and audit, should be considered. 

Schmidt also, by way of example, suggested that while VPNs are fine to use for network isolation, it would be best to make the implementation dynamic and hidden from the user experience. This might lead to users not even noticing that network boundaries are being created and torn down as required.

Featured Resources

Next-generation time series: Forecasting for the real world, not the ideal world

Solve time series problems with AI

Free download

The future of productivity

Driving your business forward with Microsoft Office 365

Free download

How to plan for endpoint security against ever-evolving cyber threats

Safeguard your devices, data, and reputation

Free download

A quantitative comparison of UPS monitoring and servicing approaches across edge environments

Effective UPS fleet management

Free download

Recommended

Ransomware hit industrial sector the hardest in the third quarter
ransomware

Ransomware hit industrial sector the hardest in the third quarter

25 Oct 2021
Tesco services knocked offline after suspected cyber attack
hacking

Tesco services knocked offline after suspected cyber attack

25 Oct 2021
Microsoft touts new cyber security help for nonprofits
cyber security

Microsoft touts new cyber security help for nonprofits

22 Oct 2021
Ofcom report reveals alarming uptick in smishing attacks
scams

Ofcom report reveals alarming uptick in smishing attacks

22 Oct 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans
Laptops

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021
Royal Mint to recover gold from smartphones and laptops in world first
Technology

Royal Mint to recover gold from smartphones and laptops in world first

21 Oct 2021