Demystifying Zero Trust

If we’ve learned anything from global politics, it’s that every piece of technology equipment is vulnerable to hackers. The very idea of a data breach is enough to keep a security executive (or CISO) up at night. Bad press, huge revenue losses, eroded consumer trust and worse, heavy penalty fees have led the industry to develop the Zero Trust model.

Zero Trust is fairly literal. Meaning, it’s a security system that does not trust any user attempts to access (or work within the applications), of an enterprise system unless their ID can be verified at several points. It was created by John Kindervag of Forrester Research in 2018. Since then it’s become a buzz word that few truly grasp the meaning of.

Ordinarily, an organization’s data accessibility assumes that if you are able to log in, you can be trusted. This model has become outdated as cybercrime gets more sophisticated. 64% of organizations have experienced a phishing attack in the past year. Most hacks are the result of a phishing link in an email being clicked on. In fact, 90% of data breaches involve some sort of phishing element. Often the entry point for a hacker isn’t where the data they want lives, but it grants them access to whatever isn’t restricted. Zero Trust aims to make these kinds of scams impossible. If implemented correctly, attempts to hack into an enterprise system would trigger alarms for the security team, thus thwarting the attack before it starts.

Many organizations do not have the resources to entirely overhaul their current security measures, but thankfully Zero Trust is scalable to fit the needs of your organization. There are many iterations of Zero Trust and some of them may already be in use at your company. A lot of IT staffs have already started rolling out pieces of Zero Trust, including virtual seminars and fake phishing scam links in employee email accounts. The bigger Zero Trust picture is that data breaches are preventable, but it comes down to good training, strong security measures and knowledgeable security professionals.

Futher reading…

https://www.phishingbox.com/resources/phishing-facts

https://www.paloaltonetworks.com/cyberpedia/what-is-a-zero-trust-architecture

CCPA – Who is Next?

Inspired by California’s CCPA, more states are debating whether to follow suit. The California Consumer Privacy Act (CCPA) is a bill signed into law in late 2019 to protect California residents from having their personal data shared or sold to third parties without consent. This law went into effect on the first of the year.

The CCPA follows quick on the heels of the General Data Protection Regulation (GDPR) in Europe, which took effect in 2018. The key tenants of the law are very similar, essentially barring organizations from collecting or storing personal data without the consumer’s consent. As a result, nearly every website now informs users that some sort of digital fingerprint is being recorded.

So what is my “data” and why is that important? Personal data is defined by the state of California as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The use of your personal data by companies is important because it can determine how an organization will market directly to you, even if you don’t want them to. Think of all those robocalls and junk emails you get that you don’t remember opting into. That is likely the result of a company that you did share your info with, selling that data to another company that also wants to market to you.  

One of the biggest points of the CCPA is that consumers have the right to access the data being collected on them, the right to ask an organization to delete their data, and the right to not have their data shared with anyone unless they personally opt-in. Enforcing this new law will be challenging as nearly 90% of American companies are not yet in compliance. Consequences for failing to adhere to the new law include steep, even financially devastating fines regulated by the FEC.

Currently the law only protects California residents, but it’s expected that other states will quickly adopt the law too. Since California has one of the highest populations of any US states, the CCPA is important for any organization targeting California residents for marketing or commerce. Data breaches continue to erode consumer trust and the CCPA is the first measure taken by a US state to hold companies legally liable for any mishandling. Expect states like Massachusetts, Minnesota, Pennsylvania, New Jersey, and New York to follow.

Additional Resources:

https://oag.ca.gov/privacy/ccpa

https://www.consumerreports.org/privacy/california-privacy-law-ccpa-california-consumer-privacy-act/

https://iapp.org/resources/article/california-consumer-privacy-act-of-2018/