Last week I blogged on our multi-layered security approach. This approach keeps your customer experience safe while protecting against brand fraud. This week I’ll discuss a new approach to information security.
I live in the middle of America and grew up on a farm. Being from the Midwest meant you trusted people. At times you had to verify their trust, but in general, you had a trusting nature. As I grew up and left the Midwest, I had to change my notion of trust and actually make certain if people are trustworthy before I can trust them.
Since the dawn of information security, trust has always been a fundamental element built into the fabric of the environment. As the information security age has grown up and become more distributed, the notion of trust has evolved. Trust is no longer just a user code and password sufficient to get into your systems. Now, knowing where the person is and verifying additional information about them before allowing access has become increasingly more common. Additionally, extra protection like firewalls are used to prevent outsiders and external threats from entering our systems.
With the advent of mobile computing and mobile workforces, establishing and maintaining trust has shifted and created challenges for IT teams worldwide. With the adoption of cloud computing and cloud applications, the means of sharing information has dramatically increased the risk of exposing sensitive data.
Zero trust means any user or device trying to access confidential data cannot and should not be trusted by default, even if they work for the company.
With all of the changes developing over the last few years, a new mindset is being adopted by many organizations: “zero trust.” Zero trust means any user or device trying to access confidential data cannot and should not be trusted by default, even if they work for the company.
When discussing zero trust with Bill Rodriguez, the leader of our Corporate IT team, I asked him how you go about implementing a zero trust Framework. Bill's insights are below:
You probably wouldn’t let a random person into your home without questioning if they had a key and said, “My name is John and I have a key to come in."
As a business that serves hundreds of financial institutions and handles sensitive data for millions of users, how do we know a person making an authentication request is truly one of our team members and not a bad actor unless they validate their identity using the three core factors of authentication: something they know (a password), something they have (a device for multi-factor authentication), and something you are (by leveraging biometrics on your devices)?
The answer is a “zero-trust” security strategy.
A zero-trust security strategy isn’t about a lack of trust in our team members; it’s about “verify before you trust.”
A zero-trust security strategy isn’t about a lack of trust in our team members; it’s about “verify before you trust.”
We implement a zero-trust security architecture by phasing deployment to focus on the three core factors of authentication, implementing risk-based access policies that enable our users to validate their identities based on context, and enabling an adaptive authentication model that provides a frictionless experience to Q2 employees.
Okta is at the core of our zero-trust strategy. We are currently embarking on the journey of implementing the final stage of our zero-trust architecture to securely enable an adaptive global workforce to authenticate securely and seamlessly from anywhere and at any time.
There is a balance between security and convenience, but by implementing a zero-trust framework, you can significantly reduce the threats of data loss and insider threat risks while still providing easy and convenient access to your employees.
Join me next week as I discuss how Q2 goes about protecting a financial institution’s brand with our multi-layered security approach by detecting anomalous transactions.
Thank you and Happy Cyber Security Month.
