With mobile computing, software-as-a-service (SaaS), and now remote working moving the focus of IT security away from the traditional perimeter, this article looks at what a Zero Trust approach is and how it can help.

More Complex Demands

The belief among many IT security experts is that a traditional perimeter-based security approach may no longer be enough to cope with the more complex IT security requirements that a widening scope of computing and threats have brought.  Additional authentication strategies are now needed.

First

The term ‘Zero Trust’ in relation to IT security was first used back in 2010 in a report by analyst firm Forrester when it was noted that there had been a big increase in the number of enterprises using the public cloud and that the security ‘perimeter’ was changing.

Zero Trust

The Zero Trust approach to IT Security (as highlighted by James Walsh of Fieldfisher) has the following characteristics:

– It is a data-centric model i.e., protecting data from both internal and external threats rather than just relying on the old ‘castle and moat’ style perimeter security (address and location layer).

– It works on the understanding that although as many precautions are being taken as possible, the modern reality that is not a case of “if” an attacker gets through, but “when”.

– Rather than the old “trust, but verify” approach, the Zero Trust approach is “never trust, always verify” i.e., trust is never granted implicitly but must be continually evaluated / all network traffic and nodes are considered untrustworthy until proven otherwise.  This means that any device must pass authentication and security policy checks to access any corporate resources.  It also means controlling this access only to the extent required.

– Zero Trust is not simply an approach. For it to work effectively, it requires compatible and connected policies, practices, software, and hardware that can create a whole, secure Zero Trust ecosystem.

Managing

In managing the device, user, and trust level, the Zero Trust approach uses:

– Managing the monitoring and compliance of all endpoint devices (understanding the threats), including BYOD, through unified endpoint management.

– Having one single sign-on point (SSO) where a single version of a user ID meets a single-entry point where the user credentials must be fully validated before accessing the business systems, as well as logging access in and out of the system.

– Multifactor authentication (MFA) being used to establish a user’s credentials and using a single factor is no longer an option. MFA could include a security key, biometrics, a trusted device, and more.

Some of the main benefits of Zero Trust include:

– Administrators can get an accurate inventory of infrastructure (i.e. which users, data, apps, and services are present) in the corporate infrastructure. This contributes to performance planning as well as security.

– The monitoring and alerting gives a better ability to quickly detect and respond to cybersecurity threats. Examples of tools used for monitoring in a Zero Trust framework include security information and event management systems (SIEM) for centralised logging capabilities and IT infrastructure threat detection and response tools.

– Improved user experience thanks to (for example) single sign-on (SSO) limiting the number of passwords needed and requiring a user to authenticate only once to gain access to everything they need.

– Reducing the potential for gaps in the security infrastructure thanks to a universal security policy that is created once and then implemented from end to end throughout the organisation.

– Making it easier and more flexible to move apps, data and services because with Zero Trust, app and data security policies are centrally managed and automation tools migrate the policies where they are required.

Components of a Zero Trust System

An example of the components of what is required for a Zero Trust network, in this case, NIST (US Government), include:

– A policy engine (PE) and policy administrator (PA) at the centre (in tandem or as part of the same software) to decide whether machines or web traffic are safe and granting or revoking access. The PE uses external data sources to help make its decisions.

The policy engine uses external data sources data that can include:

– Continuous diagnostic and mitigation (CDM) systems – providing information about (for example) the current security state, updating of a device’s OS and security software and more.

– Industry (and organisational) compliance checks.

– Threat intelligence feeds, e.g. about blacklists and malware.

– Activity logs that could flag up a potential risk.

– Data access policies for each individual and asset.

– Public key infrastructure (PKI) to validate certificates.

– Security information and event management (SIEM) systems. These provide security-related data that can also be used to improve the whole Zero Trust system.

– Other Zero Trust frameworks can use adaptations existing technologies, e.g. device sandboxing, a device/agent gateway model, micro-segmentation, and more.

Challenges to Implementing Zero Trust

As with any big change in a company/organisation, moving over to Zero Trust has its challenges which include:

– Any legacy apps, tools and resources that are currently part of network and enterprise operations but aren’t easy to integrate with a Zero Trust system.

– Regulations are currently running behind the implementation of many Zero Trust systems and these will need to change.

– Achieving visibility and control in a network is a big challenge and many organisations don’t have a comprehensive view and are, therefore, still vulnerable through unpatched devices or users with too many privileges.  In the shorter term, a hybrid approach to Zero Trust is likely to lead the way to full implementation.

Examples of Zero Trust (ZT) security models in action include:

– The US federal government now operates a Zero Trust model.

– Cloud service provider Akamai Technologies (US) – to let employees securely access internal applications but keep end-user devices off the corporate network entirely.

Resources and Links

Here are some links to a few useful resources and guides for Zero Trust IT security:

A Zero Trust security cheat sheet: https://www.techrepublic.com/article/zero-trust-security-a-cheat-sheet/.

How to implement Zero Trust with real-life examples: https://searchsecurity.techtarget.com/feature/How-to-implement-zero-trust-security-from-people-who-did-it.

Looking Ahead

It is clear that mobile computing, the pace of technological change, the digital transformation and massive increase in remote-working (fuelled by the pandemic), not to mention soaring cyber-crime figures have highlighted the need for a data-centred approach and a move away from the ‘moat and castle’ view of IT security.  Another good reason to opt for the Zero Trust approach is as a way of having a much better chance of avoiding the cost of a breach.  Not surprisingly, Zero Trust entered the European security market in 2019 and IT and Security Risk professionals as well as many businesses and organisations are now seeing it as the natural and practical way forward.

Google has announced that to make it faster and easier for users to find what they are looking for, a major visual redesign of Google’s mobile search results is to be rolled out shortly.

Challenges

Some of the challenges that Google has tried to address with the new changes are the diversity in the types of content and information that it now must categorise and how this affects a person’s ability to find what they are looking for with the existing/old format, e.g. too much clutter at the top, mixed media and font sizes.

Changes

Some of the visual changes in the new mobile search engine results layout, championed by Google designer Aileen Cheng, include:

– Making text easier to read due to larger, bolder text, including more of Google’s own font, and making the result and section titles bigger.

– Putting more of the text information at the top and reducing the distraction of design elements around it.

– Creating more visual space / “breathing room” to make the results more central by using an edge-to-edge results design.

– Using more bold colours to highlight important elements as well as centre-aligning content and images against a clean background.

– Borrowing more from the branding by using more rounded icons and imagery.

– Generally refreshing the design elements whilst retaining familiarity and approachability.

Series of Re-Designs

Back in February 2020, Google marked the 15th anniversary of Google Maps by making changes to the Google Maps logo.  The map cut-out icon was replaced with a simpler navigation pin which was made up of colours that reflected the main Google logo.

Also, in October 2020, Google previewed a new icon for Gmail which some people at the time thought was an indication of more design changes to come. The more simplified multi-coloured M on a plain background was reported to be part of a wider G-Suite re-brand and as a way of showing the integration of many products that started years ago as individual apps.  The design change was a way of creating a consistent and simple look in Google Workspace i.e., the place where all Google’s productivity apps were visibly grouped, such as Gmail, Calendar, Drive, Docs, and Sheets.

What Does This Mean For Your Business?

With most Google searches now conducted on mobile devices and with a huge variety as well as volume of content now part of Google’s search, it makes sense that Google would want to make changes that make things more friendly for users.  Google has been undertaking a general move anyway over the last year to visually represent the integration of the many products that it has built up over many years.  It may make sense, therefore, that its core search product is next for the treatment.  Google is also under pressure from various governments over requests to pay publishers to show links to their news content its search engine results.  It is perhaps not surprising, therefore, that with its SERPs under so much scrutiny, Google would want to go on a charm offensive and ensure its products are looking their best. Mostly though, these relatively small design changes mark Google updating and integrating as it moves into an era where it has become more important than ever to home-workers and businesses that have undergone digital transformations and rely much more on Google’s products to help them function and compete in the more chaotic pandemic business environment.

Billionaire Tesla founder and SpaceX boss, Elon Musk, has pledged to give a $100 (£73 million) prize to whomever comes up with the best technology to remove carbon dioxide (which are generated from fossil fuels) from the air.

Jan 21st Tweet

In a Tweet on January 21, Elon Musk said, “Am donating $100M towards a prize for best carbon capture technology”.  It has been reported that the $100M (£75M) will be connected to the Xprize Foundation, a non-profit foundation that hosts public competitions to encourage technological development.

Musk is No Stranger to Pledging or Donating 

As part of the Giving Pledge initiative started by Bill Gates and Warren Buffett founded 2010, Elon Musk is one of the billionaires who have promised to give away half of their fortune in charitable donations.

What Is A Carbon Capture System?

A Carbon Capture System is a system that results in Carbon Capture and Storage (CCS), i.e. the removal and storage (back) underground (or turning into products) of carbon dioxide that has been created through the burning of fossil fuels.

Why?

Following Musk’s Tweet about a prize for the best carbon capture system, people suggested that planting more trees and toughening existing efforts to thwart climate change would be more helpful. Carbon dioxide levels in the atmosphere have recently been measured at 415 parts per million (ppm) which is the highest in human history. Unfortunately, the Intergovernmental Panel on Climate Change (IPCC) says that existing measures may not be enough and that “negative emissions” / actively removing historical carbon dioxide already in the atmosphere is necessary on a large scale to really start to slow down and reverse the damage.

Examples

Examples of how Carbon Capture and Storage (CCS) has been used to date include:

– Using Direct air capture (DAC) technology to remove carbon dioxide from the ambient air and storing it underground or turn it into products. Existing DAC systems use a liquid solvent to separate the Carbon Dioxide from the air. Swiss company Climeworks, for example, already operates 15 direct air capture machines across Europe (the world’s first commercial DAC system), powered by renewable energy.

– Canadian company Carbon Engineering operates a system that uses giant fans to pull air into a tower and passes the air over a potassium hydroxide solution to bind the carbon dioxide molecules.  This carbon dioxide is then purified and compressed to be used again.

What Does This Mean For Your Business?

For many years now, the world has been facing a climate emergency and with carbon dioxide levels at their highest in human history, and with warnings that removing carbon dioxide from the atmosphere using technologies like Carbon Capture and Storage (CCS) is now necessary and not optional, Elon Musk’s offer has at least given attention to the issue.  Carbon offsetting is popular with businesses but has been criticised, e.g. by Greenpeace, for not actually working as planting trees can’t replace cutting carbon emissions. The climate emergency is something that individuals and businesses must face together and make changes in their own behaviour and consumption to help reduce carbon emissions.

It is good news that President Biden has signed the US (back) up to the Paris Agreement, which is aimed at trying to keep the increase in global temperature to less than 2 degrees Celsius above pre-industrial levels and to limit that warming to 1.5C. the agreement.  There are, however, still many countries, including those who have signed up, that are still heavily reliant on fossil fuels (such as coal), e.g. China.

Carbon Capture technology and systems are, therefore, necessary as well as representing an opportunity for a whole new sector e.g., the potential market value of DAC technology has been estimated at US$100bn by 2030. These systems should be just one weapon in the fight against global warming and a more holistic approach needs to be taken now with countries making the issue a priority and encouraging changes in behaviour and consumption wherever possible.

A Financial Times report based on work by Tim Berners-Lee has highlighted how sending fewer emails could help tackle climate change by reducing carbon emissions.

Emails and Carbon Production

The idea from Tim Berners-Lee, referenced also by Ovo Energy, is that although emails appear to be more environmentally friendly than using paper, a lot of energy is expended (and carbon produced) in order to allow emails to be used.  For example, for emails to be written and sent energy must be used by servers, home wi-fi, and a laptop.  Also, the carbon emitted to construct data-centre buildings could also be taken into when assessing the environmental impact of email as this represents significant greenhouse gas (carbon) production.

How Much?

Although each individual email is likely to be responsible for producing an incredibly small amount of carbon as a proportion of the 435.2 million tonnes of greenhouse gasses produced by the UK last year, there is likely to be a cumulative impact. This impact is likely to be made greater by the sending of “unnecessary” emails.

For example, Ovo Energy commissioned (Censuswide) research shows that the 64 million “unnecessary” emails sent every day could be responsible for contributing 23,475 tonnes of carbon a year to the UK’s carbon footprint. Unnecessary emails are categorised as those sent to friends within talking distance, or those containing replies such as ‘thank you’, ‘thanks’, ‘received’, and similar.

Polluting Anyway?

There is, of course, and argument that whether sending emails or not, having laptops, computers, Wi-Fi routers (and more) switched on all the time is contributing anyway to the production of carbon and that separating out the individual contribution of emails is difficult. It could also be argued that game and video streaming and cloud storage have more of a negative impact than sending emails.

What Does This Mean For Your Business?

Many bigger businesses and big tech businesses try, where possible, to reduce any obvious environmental impact but also rely upon carbon offsetting and the funding of environmental projects.  Google, for example, says that, due to carbon offsetting, it became carbon neutral in 2007, has now compensated for all of the carbon it has ever created and plans to run all of its data centres on carbon-free energy by 2030. Organisations such as Friends of the Earth which points out that “in most cases, it seems clear that carbon offsetting doesn’t work in practice” and Greenpeace which says that “the way out of the climate emergency is just not that simple” and that “Offsetting projects simply don’t deliver what we need” are clearly more sceptical about offsetting.

Reducing the numbers of “unnecessary” emails sent sounds like a good, time-saving and hopefully, energy-saving idea anyway, but businesses clearly need to look at the bigger picture and concentrate more on higher-impact elements too.

This article looks at the difference between cloud backup and cloud storage and how each contributes to daily business life; business continuity and disaster recovery.

The Need For Storage

Businesses not only have limited hard drive space, plus they are having to deal with an increasing amount of data (primary and secondary), comply with stricter data regulations (GDPR) and are facing more security threats i.e. more criminals working in more sophisticated ways to steal company data.  In addition to these challenges, as highlighted by 2020’s pandemic, more businesses have employees in different locations (working from home) but who still need work apps and data and information to be stored, synchronised, made secure and yet be accessible for work use (and for collaboration).

With this in mind, some of the reasons why cloud storage is now not only popular but vital for businesses include:

– It avoids the risk of data being lost to hardware/server failure/damage, outages and/or file corruption, the effects of environmental/natural disasters e.g. fire and flood, or damage to/theft of storage media e.g. USB drives or external hard drives.

– Cost efficiency. Cloud storage is relatively cost-efficient and the expense and responsibility of upgrading the storage hardware, data-centres and more rests with the cloud provider.  Also, the customer saves in terms of expertise required in-house and resources (time and staff) that would have been needed to maintain its own cloud storage.

– Lower energy consumption. The energy savings of using the cloud add to the efficiencies mentioned above and can help bring ‘green’ benefits.

– Scalability and flexibility. It is relatively easy and fast to up-scale (or down-scale) in cloud storage capacity.

– Usability and accessibility. Cloud services typically come with an easy-to-use user interface and drag and drop, and help/support is available. With cloud storage, data can be accessed from any device and any part of the world.

– Increased capabilities. Cloud platforms and the apps and flexible storage that they support can boost a company’s capabilities thereby contributing to its competitiveness.

– Synchronisation. Cloud storage data can be synchronised with any device.

– Centralisation and better control.  Having a centralised, synchronised, up to date copy that everyone can work on enables better data management and helps with day to day efficiency.

– Automation and convenience. Cloud storage only requires clicks from the customer rather than having to set up and swap around hardware solutions (removable hard drives or USBs).

– Supports multiple users. The same cloud environment can have more than one usage and it allows multiple users to work collaboratively on a common file.

– Security. Cloud storage provides compliant (GDPR), safe and secure storage for company data.

The Need For Backup

Things can (and often do) go wrong with company systems, data, platforms, and hardware. Theft, loss, natural disasters, cyber-attacks, data breaches, important 3^rd supplier failure or the loss of key employees, and less serious digital events that cause business disruption mean that companies need to ensure, for the purposes of business continuity and disaster recovery, that recent backup (copy) of data is available. Backups are essential files that enable a full restore, and as such are an important element of ongoing good practice. The cloud also offers a convenient backup location for the apps that the business uses as these are also vital parts of the day-to-day running of a business. Although the Cloud is not the only way to back up data i.e. store a copy of data, it is now the preferred method for many of reasons mentioned in the previous section (about cloud storage).

The Difference

The basic difference between cloud backup and cloud storage is, therefore, that cloud backup is a service where data and apps on a business’s servers are backed up on a remote server so that a recent copy can be reinstated in the event of problems such as an outage, system failure, a debilitating cyberattack or natural disaster i.e. it provides a way for files to be restored in the event of data loss. Cloud backup is therefore strongly linked to business continuity and disaster recovery (and the plans for both).

Cloud storage is really a way to supplement and give greater flexibility to the business’s hard drive space and make it easier to access and edit files from different devices, from any location.

Cloud Types

The different types of cloud storage offer different benefits and businesses can choose which type or which combination suits their needs. For example:

– The Private Cloud (internal/enterprise cloud), as the name suggests, is inside the organisation, the resources are not shared with other organisations and are protected from the outside by a firewall.

– The Public Cloud is available to all, mainly paid-for, through third-party services from providers such as Amazon Web Services (AWS), Microsoft Azure and more, and the resources are shared with multiple other public cloud users. Public cloud services are now extremely popular with businesses. Research by the Synergy Research Group (2019) shows that cloud-associated markets, such as the public cloud, are growing at rates ranging from 10% to over 40% and the annual spending on the cloud may double in four years.  Big growth cloud infrastructure segments are infrastructure as a service (IaaS) and platform as a service (PaaS) with a massive 44% growth rate.

– The Hybrid Cloud is, therefore, a mixture of on-premises, private cloud and third-party, public cloud services, with cross-over between the two.

Remote Working

The remote working resulting from the pandemic restrictions has now only emphasised the value of the cloud for storage, backup, communication and collaborative working but this has also translated into a big boost in spending on the public cloud and this is forecast to grow by 6.3 per cent in 2020 to $257.9bn, up from $242.7bn last year (Gartner).

Although software as a service (SaaS) is expected remain the largest market segment, the desktop-as-a-service (DaaS) segment, although relatively small, is forecast to experience a boost in spending (from $616m worldwide in 2019) due to the fact that it offers an inexpensive way for organisations with large numbers of remote workers to enable staff to securely access enterprise applications from multiple devices and locations.  This has proven to be particularly valuable during the lockdown and beyond.

In Summary

Cloud storage, therefore, provides many benefits over more traditional, less secure or scalable alternatives and use of the cloud also makes it easier for businesses to ensure that valuable work and data assets are backed-up effectively and regularly just in case they are needed. One lesson that this year has taught businesses is that the unexpected can happen and this emphasises not just the value of the cloud to business operations, but also the value of the cloud to business continuity, disaster recovery planning and how cloud backups feed into these.