teissTalk: Zero Trust in your supply chain

teissTalk host Geoff White was joined by Jay Moloo, Corporate Information Security Officer, DB Schenker as lead guest; Sebastian Avarvarei, Information Security Manager, Canon; and Jason Soroko, CTO of PKI, Sectigo

Views on news

The White House released a federal strategy to move the US government toward a “zero trust” approach to cybersecurity – a model in which users and devices are only given permissions to access network resources necessary for the given task and therefore are authenticated on a case-by-case basis. Agencies now have 30 days to designate a lead for strategy implementation within their organisation and 60 days to submit an implementation timeline to the Office of Management and Budget. Although the White House can only regulate federal agencies, best practices and guidelines introduced there can be expected to roll over into the private sector. The SANS Institute, specialising  in information security, cybersecurity training and selling certificates, for example,  delivers courses aligned with federal guidelines and CIS controls. Meanwhile, in the UK Cyberstrategy 2022 – which is to solidify the UK’s position as a cyber power and is more of a strategic framework than President Biden’s list of scheduled targets – there is no mention of Zero Trust. As a first step to understanding the full depth of Zero Trust, a new concept of digital identity needs to be adopted. It’s no longer only humans that can have a digital ID but also IoT devices, autonomous machines, bots or even network nodes. As monolithic pieces of code are now broken up into containers orchestrated by Kubernetes, individual containers will also have their own identity and authentication processes. A great example to demonstrate the importance of authentication in M2M communication is the 2013 Target data breach where network credentials were stolen via Target’s HVAC supplier. Where third parties are connected into a company’s core processes and products, it’s important to define the external machines that the company’s own machines can take commands from.