Forrester: Trust no one with IT security

Forrester Research will today release a report, Introducing the Zero-Trust Model of Information Network, at its Security Forum event in Boston.

Share

Forrester Research will today release a report, "Introducing the Zero-Trust Model of Information Network" (excerpt here) in conjunction with its Security Forum event in Boston.

The report attempts to put an end to the oft-used description of an IT security strategy comprising a crunchy outside (that's where you really clamp down) and a chewy center (where you let IT users roam free).

"We've built strong perimeters, but well-organised cybercriminals have recruited insiders and developed new attack methods that easily pierce our current security protections. To confront these new threats, information security professionals must eliminate the soft chewy center by making security ubiquitous throughout the network, not just at the perimeter," says the author John Kindervag.

The concept is similar to that espoused by the Jericho Forum, which pioneered the notion of "deperimiterisation" of the enterprise, with security focussed on the data itslef, rather than just the walls of the organisations

The insider threat has increasingly been grabbing headlines, with high profile cases including the arrests of former Sprint employees for allegedly collaborating on an identity theft scheme. 

Study after study of late has emphasised the increased insider threat. Verizon's Data Breach Investigations Report showed that nearly half of breaches were the result of users abusing their right to access sensitive data. 

What's more organisations have been taking action to thwart the insider threat. This includes DARPA, which recently launched a project for protecting the Department of Defense from itself. 

Vendors have long warned of the insider threat, but they've been racheting up their efforts to help companies plug potential leaks. CA Technologies, for example, recently released tools to gain better control over so-called privileged users. 

Now read the Forrester security and risk blog on ComputerworldUK