| | December 20198CIOReviewBy Stephen G. Fridakis, PhD, CISO, Weight WatchersEarly in my tenure with my current employer I faced the challenge of accommodating thousands of part time employees and franchisees who were using their own devices to connect to sensitive applications and parts of our network. Obviously, I was familiar with vendor and employee hardware and software platforms allowed into organizational premises, but this scale was beyond anything for which I was prepared.There are many advantages for allowing employees to use their own device at the workplace. These include: increase in productivity; significant hardware and software acquisition savings; and familiarity. However, this practice also comes with many challenges. I knew I had to find a security model that would integrate well with the rest of the company and could be implemented without too much operational and technological burden.The approach we chose was a "zero trust" model. In a network where a zero trust model is implemented, the assumption is that the environment is hostile and users and devices are never trusted. Furthermore, there is no trust distinction between internal and external networks. With this model, all access requests and devices are always verified with full logging and behavioral analytics.The zero trust model makes no distinction between inside and outside perimeter. Network transactions and requests for application or data set access are explicitly validated with user credentials, device identification, and other controls such as IP location, and device posture. There is no default access to any component. The "least privilege" approach enforces access control to manage the risk of excessive user privilege. All UTILIZING A ZEROTRUST MODEL IN AN EXTENSIVE BYOD ENVIRONMENTIN MY OPINION
< Page 7 | Page 9 >