VIDEO | Prevent Breach CTO: Zero Trust is all about Denial and Micro-Segmentation
(US and Canada) Nicolas Chaillan, Chief Technology Officer, Prevent Breach, speaks with Michael C. Fillios, IT Ally Founder and CEO, about zero trust as a framework for cybersecurity, the process of implementing zero trust across organizations, and how advantageous it is for small and midsize businesses to embrace DevSecOps and zero trust.
Chaillan recalls incorporating zero trust six years ago in partnership with Google and Cloud Security Alliance, while working with the U.S. Department of Homeland Security. He adds that the concept has been bloated and may confuse people if not used carefully. From his point of view, zero trust is all about denial and micro-segmentation, and is driven by three main concepts:
Device Enforcement: It is based on the device used, the security of the device, and the state of the device.
User Identity Enforcement: The roles of the users have to be labeled accurately. Organizations can then compound the risk between user risk and device risk.
Component Risk: This determines what can be seen based on component risk. That way, the zero trust stack will be able to enforce the whitelisting by blocking the lateral movement of malicious actors across things they should not see.
Chaillan maintains that zero trust ties back to data as it labels the data down to the granular level. Assigning accurate labels to users are policies to enforce access, he says. He further states that organizations must delegate down to the right level. Prevent Breach labels data to the data owner, so that person knows who should have accessed what and how.
Emphasizing the need for SMBs to embrace zero trust and DevSecOps, Chaillan affirms that SMBs that want to continue doing business have embraced DevSecOps. He asserts that it enables companies to find the balance between innovation and security.
Chaillan also believes that the maturity of an organization in DevSecOps determines whether it will make it in the competitive universe. He considers this a massive opportunity for companies willing to bring DevSecOps services, data centricity, and zero trust to SMBs. It is easy with a leading government providing it as an open source free capability that is reusable at little initial investment cost, he concludes.