View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
November 14, 2022updated 16 Nov 2022 12:57pm

CISOs must convince their C-Suite to get on board with zero-trust security

Security privileges should be issued based on requirement not role, security leaders say. But this presents a challenge.

By Claudia Glover

Access to digital systems should be based on principles, not roles, to promote a zero-trust security environment, Yahoo’s senior principle architect has said. But convincing senior leaders they need to apply for network access will be a major challenge for CISOs.

Implementing zero trust is vital, says Yahoo system architect. (Photo by Primakov/Shutterstock)

Yahoo’s Bryan Meister said most companies rely on role-based accessed control (RBAC), which can put networks at risk.

The problem with role-based access control

The concept of principle-based access control (PBAC) has been described by the US’s National Institute of Standards and Technology (NIST) as where company security policies and job roles are used “to determine what access privileges users of each role should have.”

This means access to systems must be requested and approved, in contrast to the traditional RBAC set-up used by most companies, where an employee’s job role and seniority automatically determine their level of access.

There are a host of potential issues with this, Meister told a seminar on enterprise access control held as part of the KuppingerCole Cyber Leadership Conference in Berlin. He said as employees move around an organisation they can accumulate more privileges than are required.

“You can end up very quickly with role explosion, where an employee accumulates more and more roles over time as they request things,” Meister said. “The approval process can sometimes be glossed over and hiring managers end up approving access endlessly, whether or not it is needed. Unfortunately, this is the kind of path that role-based access control puts you on.”

This so-called ‘role explosion’ can lead to increasing operational and compliance overheads and increase cyber risks, as access becomes more difficult to police, he added.

Is principle-based access control the solution?

Meister suggested that PBAC could be the key to fixing these issues. “Policies can be extended to multiple resources,” he said. “For example, we built a policy around the accounts receivable process. It’s very easy to then duplicate that policy for other purposes and you can assign different resources with that policy template.”

Content from our partners
Why food manufacturers must pursue greater visibility and agility
How to define an empowered chief data officer
Financial management can be onerous for CFOs, but new tech is helping lighten the load

This is a tenet of zero trust security implementation, as access granted is temporary and assessed on a case-by-case basis throughout the company. “There is less dependency upon organisational groups and hierarchy in order to establish policy-based access control,” Meister said.

By applying the concept of zero trust to authorisation, a company can ensure each employee is allotted the correct level of access, he continued. That way “you limit the scope and capabilities within those resources, showing again that the work an individual or a service is doing is commensurate with the level of work that they need to achieve,” Meister said. This ensures access is removed when it is no longer needed, “and not just when the user leaves the company,” he added.

The challenge of zero trust for CISOs

However, this may lead to difficulties with the higher echelons of management, as high-level access is stripped and replaced with policy-based access. This can be managed by engaging the executives in the mission of zero-trust security and what positive effects that added security will bring for the company, explained Olaf Gnade, cyber risk manager at Deloitte.

“CISOs who are pushing for it would be well advised to think about their communications approach, whether it’s a fear-based angle, or whether you can get them to buy into the new zero-trust philosophy,” he says. “In the end, it’s about protecting the company’s assets, people knowledge, connections, IP and the customers’ trust.”

Read more: Is zero trust the answer to securing hybrid work?

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy Policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications.
THANK YOU