Connect with us

Business

Why dynamic authorisation is the key to unlocking true zero trust security

Source: Finance Derivative

by Gal Helemski, co-founder and CTO, PlainID

In little more than a decade, ‘zero trust’ has gone from an industry buzzword to the cornerstone of every cybersecurity programme worth its salt. The concept is a simple but effective one – trust makes you vulnerable, so nobody/nothing should be automatically trusted – and in today’s fast-paced, highly data-driven business world, it makes a lot of sense. But like so many things in life, the true effectiveness of zero trust lies in its implementation, and it is here where there remains room for improvement.

Trust must be earned, not given

Security programmes based on zero trust are designed to remove some of the key assumptions that make alternative approaches weak by comparison. Perhaps the best and most common example of such an assumption is that if someone logs into a network with certified user credentials, they are indeed who they claim to be (and will therefore operate responsibly at all times). As many organisations find out to their detriment, user credentials are all too easy to steal and/or lose, meaning the longer a set is used unchallenged, the higher the chance that they may become compromised by someone with malicious intent.

Security should match the way we work today

With the rise of remote working over the last few years making modern workplaces more fragmented than ever before, zero trust has become increasingly important. This is because the ‘walled garden’ approach that traditional perimeter security programmes rely on is no longer applicable to most organisations, particularly those with large, highly dispersed workforces.

Instead, zero trust architecture focuses around one key decision – whether to grant, deny or revoke access to a resource, each and every time a user requests it. While there are a variety of ways to implement this, the U.S. National Institute of Standards and Technology (NIST) has set out a useful framework that emphasises zero trust should never be an exclusive agent of the network alone. Instead, for zero trust to be fully implemented, it must apply three levels of access control:

  1. Access to the network
  2. Access to applications
  3. Access to intra-application assets.

Without this kind of approach, true zero trust protection simply can’t be achieved. Why? Because of the dynamic nature of risk. Today’s digital enterprises are driven by intricate environments containing hundreds of applications, numerous different systems, hybrid legacy and “cloudified,” microservices-driven infrastructures. Such environments support hundreds — or even thousands — of continually evolving roles, which require the constant creation of new access scenarios.

Zero trust technology is still maturing

The good news for security professionals is that there’s an ever-growing range of powerful technologies now available that address some of the basic tenets of zero trust, particularly around advanced authentication and network access control.

However, these technologies still do not address each of the three critical levels of zero trust access control. In fact, the current focus of available zero trust offerings is primarily on the network and does not include adequate reference to, nor support for, zero trust at the application level, or within applications themselves.

For instance, the solutions that are most heavily touted as supporting zero trust include gateway integration and segregation, secure access service edge (SASE), and secure SD-WAN. The problem is, these are all focused on network-centric zero trust when what’s really needed is a solution that addresses each of the three access control levels in turn.

Dynamic authorisation holds the key

For many, the solution is dynamic authorisation – an advanced approach that grants fine-grained access to resources, including data assets, application resources, and any other asset based on the specific context of that session, in real-time.

Dynamic authorisation completes zero trust by powering two of the main processes that are vital to its full and complete realisation: runtime authorisation enforcement and high levels of granularity. When a user attempts to access a network, application or assets within an application, this initiates the evaluation and approval process that focuses on a range of key attributes, including:

  • User level attributes – such as current certification level, role and responsibilities, and whether they can access confidential and personally identifiable information (PII)
  • Asset attributes – such as data classification, location assignments and any relevant metadata
  • The location that a user is authenticating from – including whether from an internal or an external system
  • The number of authentication factors being used – i.e. with single, two factor or multifactor authentication
  • Additional external attributes – such as the risk level of the system and more

The policy engine evaluates each of these and all other relevant attributes, before making a real-time decision on whether to grant access. Furthermore, each time access is attempted, a new decision is made. This process is designed to be extremely granular, evaluating all the attributes that are updated to that specific point in time, as well as the real-time context and environment, rather than attributes that were already predefined by the application.

The business landscape is rapidly evolving, which means cybersecurity must as well. Many organisations have already recognised the importance of a zero trust approach for keeping sensitive data safe in increasingly fragmented working environments. However, the way it is implemented is critical to overall effectiveness. By using dynamic authorisation to address each of the three levels of zero trust access control (access to the network, applications and intra-application assets) business leaders can be confident that users accessing sensitive data are not only who they claim to be, but that they also have the right to do so.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Business

Driving business success in today’s data-driven world through data governance

Source: Finance derivative

Andrew Abraham, Global Managing Director, Data Quality, Experian

It’s a well-known fact that we are living through a period of digital transformation, where new technology is revolutionising how we live, learn, and work. However, what this has also led to is a significant increase in data. This data holds immense value, yet many businesses across all sectors struggle to manage it effectively. They often face challenges such as fragmented data silos or lack the expertise and resources to leverage their datasets to the fullest.

As a result, data governance has become an essential topic for executives and industry leaders. In a data-driven world, its importance cannot be overstated. Combine that with governments and regulatory bodies rightly stepping up oversight of the digital world to protect citizens’ private and personal data. This has resulted in businesses also having to comply e with several statutes more accurately and frequently.

We recently conducted some research to gauge businesses’ attitudes toward data governance in today’s economy. The findings are not surprising: 83% of those surveyed acknowledged that data governance should no longer be an afterthought and could give them a strategic advantage. This is especially true for gaining a competitive edge, improving service delivery, and ensuring robust compliance and security measures.

However, the research also showed that businesses face inherent obstacles, including difficulties in integration and scalability and poor data quality, when it comes to managing data effectively and responsibly throughout its lifecycle.

So, what are the three fundamental steps to ensure effective data governance?

Regularly reviewing Data Governance approaches and policies

Understanding your whole data estate, having clarity about who owns the data, and implementing rules to govern its use means being able to assess whether you can operate efficiently and identify where to drive operational improvements. To do that effectively, you need the right data governance framework. Implementing a robust data governance framework will allow businesses to ensure their data is fit for purpose, improves accuracy, and mitigates the detrimental impact of data silos.

The research also found that data governance approaches are typically reviewed annually (46%), with another 47% reviewing it more frequently. Whilst the specific timeframe differs for each business, they should review policies more frequently than annually. Interestingly, 6% of companies surveyed in our research have it under continual review.

Assembling the right team

A strong team is crucial for effective cross-departmental data governance.  

The research identified that almost three-quarters of organisations, particularly in the healthcare industry, are managing data governance in-house. Nearly half of the businesses surveyed had already established dedicated data governance teams to oversee daily operations and mitigate potential security risks.

This strategic investment highlights the proactive approach to enhancing data practices to achieve a competitive edge and improve their financial performance. The emphasis on organisational focus highlights the pivotal role of dedicated teams in upholding data integrity and compliance standards.

Choose data governance investments wisely

With AI changing how businesses are run and being seen as a critical differentiator, nearly three-quarters of our research said data governance is the cornerstone to better AI. Why? Effective data governance is essential for optimising AI capabilities, improving data quality, automated access control, metadata management, data security, and integration.

In addition, almost every business surveyed said it will invest in its data governance approaches in the next two years. This includes investing in high-quality technologies and tools and improving data literacy and skills internally.  

Regarding automation, the research showed that under half currently use automated tools or technologies for data governance; 48% are exploring options, and 15% said they have no plans.

This shows us a clear appetite for data governance investment, particularly in automated tools and new technologies. These investments also reflect a proactive stance in adapting to technological changes and ensuring robust data management practices that support innovation and sustainable growth.

Looking ahead

Ultimately, the research showed that 86% of businesses recognised the growing importance of data governance over the next five years. This indicates that effective data governance will only increase its importance in navigating digital transformation and regulatory demands.

This means businesses must address challenges like integrating governance into operations, improving data quality, ensuring scalability, and keeping pace with evolving technology to mitigate risks such as compliance failures, security breaches, and data integrity issues.

Embracing automation will also streamline data governance processes, allowing organisations to enhance compliance, strengthen security measures, and boost operational efficiency. By investing strategically in these areas, businesses can gain a competitive advantage, thrive in a data-driven landscape, and effectively manage emerging risks.

Continue Reading

Auto

The Benefits of EV Salary Sacrifice: A Guide for Employers and Employees

As the UK government continues to push for greener initiatives, electric cars have become increasingly popular. The main attraction for both employers and employees is the EV salary sacrifice scheme.

By participating in an EV salary sacrifice scheme, both employers and employees can enjoy cost savings and contribute to environmental sustainability along the way! This article will delve into the specifics of how these schemes operate, the financial advantages they offer, and the broader positive impacts on sustainability.

We will provide a comprehensive overview of the mechanics behind EV salary sacrifice schemes and discuss the various ways in which they benefit both employees and employers, ultimately supporting the transition to a greener future in the UK.

What is an EV Salary Sacrifice Scheme?

An EV salary sacrifice scheme is a flexible financial arrangement that permits employees to lease an EV through their employer. The key feature of this scheme is that the leasing cost is deducted directly from the employee’s gross salary before tax and National Insurance contributions are applied. By reducing the taxable income, employees can benefit from substantial savings on both tax and National Insurance payments. This arrangement not only makes EVs more affordable for employees but also aligns with governmental incentives to reduce carbon emissions.

For employers, implementing an EV salary sacrifice scheme can lead to cost efficiencies as well. The reduction in National Insurance contributions on the employee’s reduced gross salary can offset some of the costs associated with administering the scheme. Additionally, such programmes can enhance the overall benefits package offered by the employer, making the company more attractive to prospective and current employees.

Benefits for Employees

1. Tax and National Insurance Savings

By opting for an EV salary sacrifice scheme, employees can benefit from reduced tax and National Insurance contributions. Since the lease payments are made from the gross salary, the taxable income decreases, resulting in substantial savings.

2. Access to Premium EVs

Leading salary sacrifice car schemes often provide access to high-end electric vehicles that might be otherwise unaffordable. Employees can enjoy the latest EV models with advanced features, contributing to a more enjoyable and environmentally friendly driving experience.

3. Lower Running Costs

Electric vehicles typically have lower running costs compared to traditional petrol or diesel cars. With savings on fuel, reduced maintenance costs, and exemptions from certain charges (such as London’s Congestion Charge), employees can enjoy significant long-term financial benefits.

4. Environmental Impact

Driving an electric vehicle reduces the carbon footprint and supports the UK’s goal of achieving net-zero emissions by 2050. Employees can take pride in contributing to a cleaner environment.

Benefits for Employers

1. Attract and Retain Talent

Offering an EV salary sacrifice scheme can enhance an employer’s benefits package, making it more attractive to potential recruits. It also helps in retaining current employees by providing them with valuable and cost-effective benefits.

2. Cost Neutrality

For employers, EV salary sacrifice schemes are often cost-neutral. The savings on National Insurance contributions can offset the administrative costs of running the scheme, making it an economically viable option.

3. Corporate Social Responsibility (CSR)

Implementing an EV salary sacrifice scheme demonstrates a commitment to sustainability and corporate social responsibility. This can improve the company’s public image and align with broader environmental goals.

4. Employee Well-being

Providing employees with a cost-effective means to drive electric vehicles can contribute to their overall well-being. With lower running costs and the convenience of driving a new EV, employees may experience reduced financial stress and increased job satisfaction.

How to Implement an EV Salary Sacrifice Scheme

1. Assess Feasibility

Evaluate whether an EV salary sacrifice scheme is feasible for your organisation. Consider the number of interested employees, potential cost savings, and administrative requirements.

2. Choose a Provider

Select a reputable provider that offers a range of electric vehicles and comprehensive support services. Ensure they can handle the administrative tasks and provide a seamless experience for both the employer and employees.

3. Communicate the Benefits

Educate your employees about the advantages of the scheme. Highlight the financial savings, environmental impact, and access to premium EV models. Provide clear guidance on how they can participate in the programme.

4. Monitor and Review

Regularly review the scheme’s performance to ensure it continues to meet the needs of your employees and the organisation. Gather feedback and make adjustments as necessary to enhance the programme’s effectiveness.

Conclusion

The EV salary sacrifice scheme offers a win-win situation for both employers and employees in the UK. With significant financial savings, access to premium vehicles, and a positive environmental impact, it’s an attractive option for forward-thinking organisations. By implementing such a scheme, employers can demonstrate their commitment to sustainability and employee well-being, while employees can enjoy the benefits of driving an electric vehicle at a reduced cost.

Adopting an EV salary sacrifice scheme is a step towards a greener, more sustainable future for everyone.

Continue Reading

Business

Machine Learning Interpretability for Enhanced Cyber-Threat Attribution

Source: Finance Derivative

By: Dr. Farshad Badie,  Dean of the Faculty of Computer Science and Informatics, Berlin School of Business and Innovation

This editorial explores the crucial role of machine learning (ML) in cyber-threat attribution (CTA) and emphasises the importance of interpretable models for effective attribution.

The Challenge of Cyber-Threat Attribution

Identifying the source of cyberattacks is a complex task due to the tactics employed by threat actors, including:

  • Routing attacks through proxies: Attackers hide their identities by using intermediary servers.
  • Planting false flags: Misleading information is used to divert investigators towards the wrong culprit.
  • Adapting tactics: Threat actors constantly modify their methods to evade detection.

These challenges necessitate accurate and actionable attribution for:

  • Enhanced cybersecurity defences: Understanding attacker strategies enables proactive defence mechanisms.
  • Effective incident response: Swift attribution facilitates containment, damage minimisation, and speedy recovery.
  • Establishing accountability: Identifying attackers deters malicious activities and upholds international norms.

Machine Learning to the Rescue

Traditional machine learning models have laid the foundation, but the evolving cyber threat landscape demands more sophisticated approaches. Deep learning and artificial neural networks hold promise for uncovering hidden patterns and anomalies. However, a key consideration is interpretability.

The Power of Interpretability

Effective attribution requires models that not only deliver precise results but also make them understandable to cybersecurity experts. Interpretability ensures:

  • Transparency: Attribution decisions are not shrouded in complexity but are clear and actionable.
  • Actionable intelligence: Experts can not only detect threats but also understand the “why” behind them.
  • Improved defences: Insights gained from interpretable models inform future defence strategies.

Finding the Right Balance

The ideal model balances accuracy and interpretability. A highly accurate but opaque model hinders understanding, while a readily interpretable but less accurate model provides limited value. Selecting the appropriate model depends on the specific needs of each attribution case.

Interpretability Techniques

Several techniques enhance the interpretability of ML models for cyber-threat attribution:

  • Feature Importance Analysis: Identifies the input data aspects most influential in the model’s decisions, allowing experts to prioritise investigations.
  • Local Interpretability: Explains the model’s predictions for individual instances, revealing why a specific attribution was made.
  • Rule-based Models: Provide clear guidelines for determining the source of cyber threats, promoting transparency and easy understanding.

Challenges and the Path Forward

The lack of transparency in complex ML models hinders their practical application. Explainable AI, a field dedicated to making models more transparent, holds the key to fostering trust and collaboration between human and machine learning. Researchers are continuously refining interpretability techniques, with the ultimate goal being a balance between model power and decision-making transparency.

Continue Reading

Copyright © 2021 Futures Parity.