By Bob Michaud, Chief Security Officer, Q2
October is Cybersecurity Awareness Month, and Q2 is proud to be a cybersecurity awareness champion. This week, I continue our blog discussion with a focus on Q2’s award-winning zero-trust security strategies.
Since the genesis of information security, trust has remained an essential function built into the fabric of environments. As the information security age evolved and became more distributed, the notion of trust has grown alongside it. No longer is just a user code and password sufficient to break into systems. Determining a person’s physical location and additional information about them before allowing access has become common. Additionally, extra protection, such as firewalls, is used to prevent outsiders and external threats from gaining access to vulnerable systems.
With the advent of mobile computing and the growth of mobile workforces, the trust notion has shifted, creating new challenges. And with the adoption of a distributed cloud model, the ways of sharing information have dramatically increased the risk of sensitive data being exposed.
With all the changes developing over the last few years, a new mindset is being adopted at Q2. Zero-trust strategies build a security model based on the principle of maintaining strict access controls and not trusting anyone by default, even those already inside the network perimeter.
This week, I interviewed Q2’s Chief Availability Officer Lou Senko, the architect of our zero-trust framework. When discussing Q2’s zero-trust strategy with Lou, I asked him how the new framework fits into our security pillars. His response was intriguing. “You start with people.” Q2 has focused on evolving the organization by building a foundation of great talent, amplifying their reach and influence, and establishing Q2 as a thought leader.
Lou explained that Q2’s zero-trust implementation is focused on identity, zero-trust network access (ZTNA), and ensuring that the 2,000 Q2 employees working around the globe have increased productivity – not risk. Initially focused on our private cloud, where much of our customers’ personally identifiable information (PII) data is contained. We now extend those same principles to public cloud environments, where the access is different, and the responsibilities around infrastructure are shared. Still, based on the principles of continuous authentication and the policy that no authorization carries to the subsequent request, access to our public cloud infrastructure is simply another extension from the same control points. It means access must be gained from a hardened, Q2-managed endpoint (more on that in a bit). Then, users must also leverage multifactor authentication to access the corporate network first. Then, they must again use multifactor authentication with different credentials to access a hosting environment, which is locked down to allow access from our corporate network only. Access to the hosting environment is buffered from production with a jump box virtual desktop or a bastion Unix pivot point. Rolling out our privilege access management (PAM) solution to remove all standing credential access to any asset provides better security. It focuses a secondary control point where (even though users leverage multifactor authentication to access the environment with authorized credentials) they must request access to any asset when needed again, which is completely audited. Once a user logs off, all access to that asset is removed.
I hope you’ll return and read next week’s blog. I’ll share the next security pillar in securing the emerging innovation of the distributed cloud, Q2’s award-winning Secure Access Service Edge (SASE) architecture.
Thank you, and happy Cybersecurity Awareness Month!
