A CISO’s Perspective on Zero Trust - From Theory to Practice
Kicking off Tufinnovate Day 2, we heard from Tufin CISO Eitan Satmary and Director of Product Marketing Sigalit Kaidar discussing a topic that is on all our minds these days: Zero Trust.
The Zero Trust model recommends that we shift security from a perimeter-based model to a model that is based on continuous verification of trust. This model assumes that a network has already been breached.
Common questions that Eitan is asked about Zero Trust:
- “As a CISO, how does the Zero Trust framework help me?”
- “How do I translate Zero Trust principles into practice?”
Since these questions come up so often, Eitan has developed a five-step method for implementing Zero Trust into your network.
Identify your sensitive assets. This includes anything that can cause massive damage to your organization. The definition of “sensitive data” may differ depending on who you ask. The CRO may have a different definition than the CFO, for example. According to Eitan, “it’s about what can kill you versus what can harm you.”
Map the main business flows of your sensitive assets. This is a complex process that includes identifying all the assets in the network and figuring out how they communicate. Luckily, Tufin users can easily gain complete visibility and accurate topology modeling.
Build the Zero Trust architecture. In this step, you want to assess current rules and detect misconfigured, unused, redundant, or shadowed rules.
Create the Zero Trust policies using Tufin. Ensure only the right people or resources have the right access to the right data and services across the hybrid environment.
Continuously monitor and maintain a Zero Trust environment. It’s critical to keep the rule base up to date. With near-constant changes on the network, this task is impossible to manage without automation. This enables users to revisit rules regularly to update and remove as necessary.
Check out Eitan’s recent blog post Steering Towards a Zero Trust Model: A 5-Step Approach for more in-depth information.
The Technical and Political Challenges of Election Security by Kim Zetter
Giving the keynote this year, Kim Zetter is an award-winning investigative journalist. She began her talk discussing the history of election security and what brought us to where we are today.
Kim outlines several examples of voting machine malfunction throughout the last decade, including the 2012 Presidential Election, during which voters in one precinct using touch screen voting machines began complaining that their votes for one candidate were being given to the opposing candidate, as well as similar issues in 2016 and 2018 in different elections.
Prior to issues being raised during actual elections, Kim details research that was conducted on a digital voting machine in which researchers found the first flaw within 30 minutes. Rather than resolving the problem, however, election officials not only dismissed the report but continued on a buying spree of these particular machines.
Kim then discusses what she calls “the myth of the disconnected voting machine” – the belief that voting machines can’t be hacked because they aren’t connected to the internet. This is simply not true. At the end of elections, final votes are transmitted via a modem connected to a cell tower into the election management system. The problem here is that someone can intercept the traffic into the modem and gain access to the machine. If you can get into the machine, you can get the encryption key and interfere with the official results.
In 2018, two things happened: election officials finally began to recognize that electronic voting machines aren’t secure and yet they began to explore the possibility of using internet voting instead.
What does that mean for the state of election security?
Kim argues that we’re headed right back to the voting machine malfunctions we saw in 2012.
Tufin Roadmap - 2nd Half 2021 and Beyond by Tufin VP of Products Ofer Or
Kicking off his session, Ofer outlined the technology trends we saw in the last year, with the pandemic impacting these trends in a big way.
The need for security automation grew. Organizations needed to rapidly move to remote work and make nearly everything available online. Combine this need with challenges like the cybersecurity skills gap and the need to do more with less, organizations began to adopt security automation at a rapid rate.
Perimeter security is dead. Because most users and assets are now outside the walls of the organization, they need to rethink their approach to traditional security controls. Ofer discussed the rise of the cybersecurity mesh – a model of security that is needed now that organizations must enable everything to securely access any digital assets while providing a high level of security.
Risk. The last year saw some of the most sophisticated cybersecurity breaches ever. This raised many questions about how to measure risk and the fact that organizations always need to think about the unknown based on what we know right now.
Cloud. The move to the cloud accelerated during the pandemic because of its many benefits such as increased agility and business resilience. Because of the pandemic, everything shifted to online or a hybrid model, and this would not have been possible without the cloud.
Ofer then talked about a few products that are in the pipeline for the remainder of 2021. We have to keep that top secret for now but stay tuned for exciting developments.
As we close out Tufinnovate Americas 2021, we want to say a big thanks to our sponsors VMware, Fortinet, EfficientIP, Cisco and Palo Alto Networks.
Thank you to all our customers, partners, and prospects for attending!