In a recent podcast interview with Hillarie McClure, Multimedia Director of Cybercrime Magazine, Robert E. Johnson III, Cimcor CEO/President, discusses how organizations can get started in their Zero Trust journey. The podcast can be listened to in its entirety below.
Welcome to The Data Security Podcast sponsored by Cimcor. Cimcor develops innovative, next-generation file integrity monitoring software. The CimTrak Integrity Suite monitors and protects a wide range of physical, network, cloud, and virtual IT assets in real-time while providing detailed forensic information about all changes. Securing your infrastructure with CimTrak helps you get compliant and stay that way. You can find out more about Cimcor and CimTrak on the web at cimcor.com/cimtrak.
Q: Hey, Robert, Welcome back! So great to be speaking with you.
A: Thank you, Hillary. I appreciate the opportunity to be on your show, you know, one more time.
Q: Robert, we've discussed Zero Trust a lot, and of course, why it's essential. But there still seems to be some confusion in implementing the strategy of Zero Trust. So my first question for you today, Robert, is: Where is the disconnect?
A: You hit upon a really interesting question here. I believe that much of the confusion occurs because at this point, there's almost too much information about Zero Trust coming out at once and it's all being provided without any context, probably too much information coming from vendors, to be honest. And it's all opinion and nothing's really referencing a specific standard related to Zero Trust. So it becomes a little confusing, and it's really difficult.
It's very difficult, in fact, for organizations to get their bearings and to understand. What do they really need to do to implement a Zero Trust strategy? What's real versus some marketing or vendor perspective of what needs to be done? So but anyway, with all of those different opinions and products and conflicting information. You know, last time I went to RSA when I walked through the show. Every vendor pretty much had a sign up saying, "I'm a Zero Trust tool." "I'm a Zero Trust product." How is that even possible? So when you're faced with that, to me, no wonder that folks are confused.
Q: Yeah, definitely. I saw that everywhere at RSA this past June, and I thought the same thing. So thank you for clearing that up. I guess, my next question for you, Robert, is so that you know there there are a lot of people out there that looking to implement a Zero Trust strategy because it is very, you know, effective. But I guess, what can they do to get started? What are the first steps they should take? I think there's still a lot of confusion even just there on how to start.
A: Right. Well, I believe the best starting place is actually far away from cybersecurity vendors. I believe you need to start with some of the great documentation produced by the National Institute of Science and Technology. I'm speaking specifically of NIST Special Publication, 800-207. This document actually explains Zero Trust in an unbiased, vendor-agnostic matter and I believe that this is a very well-written document and they do a great job of breaking down Zero Trust into 7 core requirements or tenets, or some people say pillars.
As a recap of what those 7 pillars are is that:
- All data, sources, and computing services are considered resources.
- All communication is secured regardless of the network location.
- Access to individual enterprise resources is granted on a per-session basis
- Access to resources is determined by a dynamic policy.
- The enterprise monitors and measures the integrity and security posture of all owned and associated assets.
- All resource authentication and authorization are dynamic and strictly enforced before access is allowed
- The enterprise collects as much information as possible about the current state of assets, network infrastructure, and communications, and uses it proactively to improve its security posture.
So those are the 7 tenants out of NIST Special Publication 800-207. So I believe that that document is the best starting point for anyone starting to jump into the Zeo Trust strategy process. The document goes into great deal in each of those tenants and provides a great basis for you to develop your entire Zero Trust strategy.
You will see, as you reflect on what's available in the market, that there is no silver bullet, and there is no single product that will enable or basically Zero Trust enable your entire organization. You will need to select a set of tools that are most appropriate for your organization as you begin your entire journey on Zero Trust.
Q: Okay. So, as you just mentioned, there's not a single solution that can implement Zero Trust. But my final question for you, Robert, is, you know: Are there any specific tools that you would want to call out that can help manage the process of implementing a Zero Trust strategy?
A: Well, I believe that just managing that process is something that the folks in your audience can actually do once they understand what it actually entails. I know they can handle it and I know that your audience can be successful implementing the Zero Trust strategy once they have access to the proper information. At Cimcor, we're really focused on helping enterprises implement a strong foundation for Zero Trust. Our product, CimTrak, is a system integrity assurance tool that provides all of the capabilities required to meet Tenant Number 5 of the NIST Special Publication 800-207. Again Tenet Number 5 was the one that recommended their organizations monitor the integrity of assets and the security posture of assets. The CimTrak Integrity Suite allows you to do both. CimTrak can detect unexpected and unwanted changes to servers and network devices, cloud resources, and active directory, and much more. In addition, CimTrak can help you harden your systems according to CIS Benchmarks and DISA STIGs and also measure how you're doing related to other compliance initiatives such as or, compliance frameworks, such as the CIS Controls, or PCI. On top of it all, CimTrak allows you to continuously monitor if your systems have drifted away from this secure and hardened configuration. So we have many resources available on our website for free regarding Zero Trust. We want your audience members to have the opportunity to learn about it, so we're providing as many resources as possible, directly on our website.
Just visit us at www.cimcor.com, and it's C as in cat, I M C O R.com.
Now, once you're there. You can also sign up for the CimTrak Integrity Suite and to just try it. Try it within your own organization.
Again, the website is www.cimcor.com and we will love to help your audience members accelerate their journey to Zero Trust by laying down this strong foundation based on integrity that aligns directly with Tenant Number 5, as recommended by NIST.
Q: Robert, thank you so much for taking the time to you know, out of your busy schedule to speak with me. I really enjoyed our conversation, and I'm looking forward to future conversations with you.
A: Same, Hillarie. I always enjoy our chats, and I definitely look forward to the next set of topics that you put before me.
January 19, 2023