teissTalk: Securing your applications with Zero Trust architecture

teissTalk host Geoff White was joined by Jonathan Craven, Head of Information Governance / Data Protection Officer, Central and North West London NHS Foundation Trust; Simon Gooch, Director of Cyber Security & Global/Accenture; Lester Godsey, Chief Information Security Officer/ Office of Enterprise Technology, Maricopa County.

 

Views on news

 

More than four-fifths (82%) of public sector applications have security flaws, the highest proportion of any industry, according to a new study from Veracode. The public sector also had the joint lowest vulnerability fix rate of all industries, at 22%. On the upside, however, high-level flaws only appear in 16% of public sector applications and the total number has decreased by 30% in the past year. 

 

There are several reasons for this. Most of the data that the public sector (police, NHS, local government etc) is dealing with is highly sensitive. Also, the sector has more limited resources than others and their client base can be more vocal than those of other businesses when it comes to reporting the mishandling of data. High and complicated compliance requirements that these public bodies are inundated with also tie up a percentage of the public sector’s limited resources. The fact that the NHS was highly vulnerable to the WannaCry cyber-attack is also down to poor patching regimes and lack of software support.

 

There is often a disconnect between public sector organisations’ ambition to become forward-thinking digital-first organisations and the legacy IT systems that they need to rely on. Unsafe applications aren’t only developed in-house but often it’s vendors selling them to their public sector clients.

 

The move to the cloud, however, has significantly improved security across the sector and has given an opportunity for organisations to leapfrog some of the measures that are not necessary in a cloud-based environment such as maintenance. More collaboration between the private and the public sectors can also contribute to improving security in the latter.

 

ZeroTrust for applcations

 

Zero Trust is essentially about identity and access management. But identity shouldn’t be limited to individuals but should also include devices and services.

 

Many of the applications are hosted by third parties and it’s key to have an inventory of the APIs that the organisation is using. In a cloud-first world the concept of an application is also changing and may sound to some cyber security professionals as a legacy concept.

 

Implementing Zero Trust is an iterative, multi-layer process. There is no single technology that can address all your journey. Rather, there are multiple tools, services and controls that a ZeroTrust architecture is composed of. What you need to look for when choosing solutions is interoperability between layers and whether it can talk to your existing identity solution.

 

ZeroTrust is not just about technology but processes and how data is used in the organisation on a daily basis. Testing is becoming more pronounced with Zero Trust architecture, for example, in the case of fuzzing.

 

Continuous validation should also be at the heart of ZeroTrust through pen testing, software composition analysis testing etc.