As the world emerges from the pandemic, and many companies transition to a hybrid workforce model with large percentages of remote employees, a zero trust security model will hinge on effective management of the array of personal devices accessing the corporate network.
Specifically, organizations need to provide employees tools to serve up the information they need from personal devices like phones and tablets, without compromising the network or personal or corporate data, Aetna and Mass Mutual’s former security chief Jim Routh said during an interview with SC Media Editor in Chief Jill Aitoro.
“That’s essentially what zero trust means for an enterprise... layers of control requirements that are necessary across different channels to offer the right level of protection for the channel that's chosen at that point in time, he said. "And that's a really comprehensive set of controls that need to be established across the enterprise with complete flexibility for people on how they're using what technology components at what time.”
Authentication is a key component for this approach to function, both as part of the zero-trust model as well as part of the identity access management framework. But using user ID and password credentials to check that box will not suffice, Routh noted, as threat actors can exploit a system by taking over a trusted account. Instead, behavioral attributes of technology can be used to decide whether a set of events match a pattern of behavior across multiple attributes.
“It requires a more mature approach to authentication to be able to give resources to any person at any time, from any geography through any channel.”
“Mathematically representing these as algorithms and comparing algorithms to algorithms gives you a really easy way of identifying deviation.”