AWS CISO urges companies to adopt a zero-trust security approach

Steve Schmidt outlines how his entire security strategy is based around the zero-trust philosophy

Organisations should embrace the philosophy and principles of zero-trust security to keep up to date with modern demands and security threats, AWS’ chief information security officer (CISO) Steve Schmidt has urged.

Adopting the core tenets of a zero-trust philosophy, including accessibility and usability, and ensuring you’re focusing on the core fundamentals of security, will ensure businesses can eliminate needless risks in their IT estates.

Doing so, however, isn’t as straightforward as businesses may hope, according to Schmidt. This is because the term ‘zero-trust’ can mean different things in different contexts, with this ambiguity the product of a diversity of use cases to which it applies.

“Zero-trust is, to me, a set of mechanisms that focus on providing security controls around digital access and assets while not solely depending on traditional network controls or network perimeters,” he explained, speaking at AWS re:Invent 2020. 

“In other words, we aren’t going to trust a user based only on their location within a traditional network. Instead, we want to augment network-centric models with additional techniques, which we would describe as identity-centric controls.”

An example of one such use case that he provided was human-to-application security, which is particularly relevant given the surge in people working from home in 2020. Traditionally, applications sat behind a virtual private network (VPN) front door, but these aren’t compatible with the diversity of devices that workers use to access work-related services. Applying zero-trust principles generates the objective to make the locks on applications effective enough that you can eliminate a VPN-based front door altogether.

Zero-trust principles have become far more popular across the industry of late, with a number of companies quick to adopt and promote this philosophy either as part of their own strategies or in their products. 

BlackBerry, for example, announced Persona Desktop in October, a security platform that uses artificial intelligence (AI) and machine learning to detect user and entity behaviour abnormalities. Persona Desktop works at the endpoint, and eliminates the need to share data back to the cloud before the system acts, and also aims to protect against stolen credentials, insider threats, and physical compromise.

Related Resource

Securing a remote workforce with a zero-trust strategy

Why zero-trust is the latest foundational cyber security construct for the modern workplace

Download now

Google, too, launched a zero-trust remote access service known as BeyondCorp Remote Access earlier this year that’s designed to give remote teams access to their internal applications without the need for a VPN.

As part of Schmidt’s outline of AWS’ security strategy, he also proposed a set of questions that businesses and IT administrators should ask about their organisation’s security configuration. Elements such as where the perimeter is, and how large it is, as well as how easy it might be to monitor and audit, should be considered. 

Schmidt also, by way of example, suggested that while VPNs are fine to use for network isolation, it would be best to make the implementation dynamic and hidden from the user experience. This might lead to users not even noticing that network boundaries are being created and torn down as required.

Featured Resources

Choosing a collaboration platform

Eight questions every IT leader should ask

Download now

Performance benchmark: PostgreSQL/ MongoDB

Helping developers choose a database

Download now

Customer service vs. customer experience

Three-step guide to modern customer experience

Download now

Taking a proactive approach to cyber security

A complete guide to penetration testing

Download now

Recommended

Botnet targets vulnerable Microsoft Exchange servers
botnets

Botnet targets vulnerable Microsoft Exchange servers

23 Apr 2021
A guide to cyber security certification and training
Careers & training

A guide to cyber security certification and training

22 Apr 2021
What is hacktivism?
hacking

What is hacktivism?

22 Apr 2021
Geico data breach leads to stolen driver’s license numbers
data breaches

Geico data breach leads to stolen driver’s license numbers

21 Apr 2021

Most Popular

REvil threatens to release Apple’s hardware schematics
ransomware

REvil threatens to release Apple’s hardware schematics

21 Apr 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

8 Apr 2021
Samsung Galaxy S21 Ultra review: Ultra in every sense of the word
Mobile Phones

Samsung Galaxy S21 Ultra review: Ultra in every sense of the word

22 Apr 2021