Fortinet Field CISOs Courtney Radke, Jonathan Nguyen-Duy, Jim Richberg, Renee Tarun, and Rick Peters offer actionable insights for establishing cybersecurity best practices around cloud security and Zero Trust within their respective industries.
Cybersecurity Best Practices for CISOs
Courtney Radke, Fortinet Field CISO
“Omnichannel retail experiences have enabled retailers to expand to new demographics and open up new revenue streams. However, despite these new initiatives, the retail industry has seen an erosion in customer trust and confidence in recent years to the point that less than 20% of consumers actually trust that retailers are properly protecting their data, and only 11% believe that retailers are able to effectively manage a data breach. Because of this, maintaining a strong perimeter has been the key to success. Today, retailers need to maintain a proactive security policy that incorporates a Zero Trust model that protects customers from unnecessary risk while also allowing for expedited response and communication in the event an incident occurs.”
“Cloud security and the challenges that come with it are at a reflection point. Retailers must review their deployed solutions and determine if the technologies align with their overall security maturity. With new cloud workloads and an increased reliance on mobile apps, data proliferation is a growing concern. Retailers building out their cloud strategies need to protect their cloud workloads and create a defense in depth (DiD) approach that includes elements like SD-WAN solutions, cloud workload protections, and Cloud Access Security Brokers (CASB) solutions.”
Jonathan Nguyen-Duy, Vice President, Global Field CISO Team
“Healthcare organizations need to be able to identify new types of users. On average, there are at least 15 devices connected to any hospital bed in the United States today. Because of this, there is a variety of both people and devices collecting, generating, and curating data across organizations to help execute data-driven decision-making. This, in turn, creates challenges around how organizations catalog and identify all people, devices, and applications in their networks.
This is where Zero Trust Access (ZTA) comes in. ZTA, at its core, is all about identity and access management, which is why it provides value for healthcare organizations. In many ways, Zero Trust arose from network segmentation’s limitations. Although it is intuitively elegant, over-segmentation impedes business operations, while under-segmentation lacks the security needed to prevent compromises and the lateral movement of threat actors. The key to segmentation across hybrid and distributed ecosystems is understanding all role-based access controls and segmenting accordingly.”
Jim Richburg, Fortinet Field CISO
“For those working to establish cybersecurity best practices in the public sector, ZTA should be a top consideration. Zero Trust is an operating principle with a philosophy, not a network architecture. It describes an approach for defense and depth: Don’t trust by default, always verify your request for access, authenticate users and devices, grant the least privilege necessary to the task at hand, and log – and potentially inspect – all network traffic. And while it can be beneficial, full Zero Trust implementation requires hardware, software, and business process changes, making it a daunting – and fairly difficult – approach for security teams. But at its core, Zero Trust is a risk management philosophy, and managing risk doesn’t require perfection. That’s why a more reasonable interim goal should focus on intent-based segmentation, defining users’ access based on business needs. Intent can also be defined in a static fashion by creating internal network segmentations corresponding to organization or business rules for sets of users.”
“Cloud technology also offers the public sector several key benefits: resilience, efficiency, smarter spending, security, and service availability. But despite these benefits, the public sector still lags behind the private sector in terms of the pace and progress of its implementation of cloud services and technology. And this isn’t due to the public sector being a technological laggard by desire. It’s simply due to the nature of procurement, the kinds of policy wickets they have, and the protracted budgeting cycle – they just can’t move as fast as the private sector can. With this in mind, the public sector should embrace technologies like artificial intelligence (AI) and machine learning (ML) to mature its security posture without overwhelming IT services teams. Additionally, unified platforms provide visibility, control, and management and enable automation across a broad suite of capabilities for any cloud environment.”
Renee Tarun, Fortinet Field CISO
“Higher education’s culture is built on knowledge and information sharing, often running counter to IT security principles. Adopting a Zero Trust approach to network access ensures that IT network administrators can manage the growth of unsecured and unknown devices. It gives visibility into who and what is accessing networks, simultaneously limiting access to the resources according to the principle of least privilege. IT teams can also implement network access controls (NAC) to see every device and user that joins the network, enhancing network control by limiting network access and automating event response times from days to seconds.”
“Many institutions have increased their use of cloud technology, especially SaaS applications, to deliver their online learning platforms. Cloud security must monitor Integrated security solutions to enforce uniform security policies across both traditional and SaaS applications so they can continuously monitor web application firewalls, secure web service APIs, and front-end applications. They should ensure that any solutions integrate with the major cloud providers, run on a security tool suite that covers the entire attack surface, and provide centralized management of security with automation and workflows.”
Rick Peters, Fortinet Field CISO
“Securing operational technology (OT) starts by enforcing the “never trust, always verify” model, which means protection at every wired and wireless node to ensure that all endpoint devices are validated. With the dynamics today introduced by exponential growth and enabled sensors for OT systems, Zero Trust is crucial to defending the cyber-physical. It’s also important to practice the principle of least privilege across both internal and external communications. By providing only the minimally required access and creating an internal segmentation firewall at multiple points within the networks, OT leaders are afforded extra layers of enterprise protection from an array of attack vectors. In this manner, the network visibility is achieved along with least privileged enforcement, helping to prevent vertical or horizontal movement within the target environment.”
“Organizations today are embedded with operational processes and are digitizing their environments using sensor technology and connecting with cloud-based applications – and OT is no different. Amid this adoption of cloud services, however, comes the challenge of the broadening attack surface. Threats within the OT sector are now going beyond network and application attacks to target vulnerabilities caused by misuse or misconfiguration of the cloud infrastructure. To address the intersection of these challenges, IT support teams need a solution that offers advanced security and can detect suspicious activity across any and all cloud environments. This cloud security solution must also enable a containment and mitigation strategy to ensure safe and continuous operations. Overall, the chosen security service must provide fluid and dynamic transparency that delivers operational efficiency as well as continuous trust across the cloud.”
Renee Tarun, Fortinet Field CISO
“Financial institutions are continually expanding their digital innovation tactics with SaaS-based tools, Voice over Internet Protocol (VoIP) video services, and wireless access points while also increasing the types and number of devices on their networks. Because of this, they must adopt the Zero Trust approach to network access to ensure they know who and what is accessing their networks. Using a network access control (NAC) provides network visibility that allows IT teams to see every device and user that joins the network. In addition, they can implement Single Sign-On (SSO) or multi-factor authentication (MFA) solutions for an additional layer of protection, thereby ensuring users only have the least amount of access necessary to do their jobs.”
“Organizations within the financial services sector are becoming increasingly reliant on cloud-based infrastructures. This likely comes down to two key reasons: The pay-as-you-go infrastructure is easy to justify, at least upfront, and the operational agility that comes with ramping up capacity at a moment’s notice or shutting off unnecessary features on-demand is extremely beneficial. However, financial services institutions are faced with constant attacks and intrusion attempts. As digital transformation initiatives expand the attack surface, the security teams need that network visibility and control to keep the breaches at bay, achieve cost savings, and gain operational efficiencies. This is only made more complicated by the need for compliance. With this in mind, these institutions need a cloud security solution that can monitor all activity and integrate with other solutions to enforce uniform security policies across both traditional and SaaS-based applications. They need to deploy web application firewalls that secure the web service APIs and the front-end web applications from threats. To lower the total cost of ownership, they should look for solutions that natively integrate with major cloud providers, include a broad suite of security tools, and provide centralized management, including automation, workflows, and intelligence sharing.”
Call SpartanTec, Inc. now if you want to improve your company’s cybersecurity.