In IT Security: Never Trust, Always Verify

In IT Security: Never Trust, Always Verify

It used to be that firewalls were a good guarantee of safety. Users, devices and applications behind the wall were implicitly trusted to operate within an organization’s IT environment.

However, a string of high-profile cyber attacks has ushered in the wave of ‘zero trust’ firewall architectures.

The same shift is taking place in the cloud and managed service provider space. With cloud and service providers taking a larger role in enterprise strategies, finding trustworthy service providers is now a key concern for enterprises. Meanwhile, service providers are striving to prove they can be trusted.

But maybe, in all these cases, it really isn’t about trust; maybe what enterprises are looking for is proof.

Bridging the Trust Gap

With cloud use on the rise, organizations are steadily surrendering control and visibility of their overall IT ecosystems to providers. But enterprises are losing faith in the traditional ‘black box’ approach. A gap in trust between service providers and enterprises may be growing.

‘Trust, but verify’ is no longer enough. Today, it may as well be ‘never trust, always verify… then verify again.’

This verification process can be very thorough. With enterprises seeking confidence in their cloud providers, they’re also seeking transparency by asking a wide variety of questions. These fall into a few categories.

A Shift in Staffing Strategies for Information Security

1. Data Access

Enterprises want proof that access has been permitted according to policy. Service providers must provide detailed proof about access to customer systems and data, and be able to answer any of the following questions:

  • Who is accessing the asset?
  • Where are they connecting from?
  • Is it a safe connection?
  • Do they have privileges that are in line with their normal pattern of access?
  • Are they accessing the asset within an expected time window?
  • What did they do while they had access?

2. Data Location

As data moves from datacenter to datacenter at a service provider’s discretion, enterprises are beginning to ask for real-time and historic location-specific information concerning their digital assets. If a company asks ‘where is my data located right now?’, a MPS should have the answer.

3. Security Incidents

In the event of a security incident, a MPS should be able to answer:

  • When was the incident detected?
  • Who performed the analysis?
  • How long did it take before triage began?
  • What is the current state of investigation and remediation?

Regardless of the provider, enterprises report that they only see what is escalated to them, leaving the organization in the dark for hours, days or even weeks after an event.

Zero Trust Model

Thanks to the ever-changing cloud industry combined with the ever-present threat of cyber attacks, the ‘trust, but verify’ approach to IT is obsolete. Many enterprises are shifting strategies to a zero-trust model that explicitly distrusts everything and everyone by default – every user, device and application, including cloud and service providers.

Proven cybersecurity controls are mandatory for enterprises. Make sure your Cloud MSP can provide real-time transparency about each bump in the road.


Want insights on Infosec trends delivered to your inbox? Join the 451 Alliance.