{"id":2953,"date":"2022-04-08T16:12:37","date_gmt":"2022-04-08T20:12:37","guid":{"rendered":"https:\/\/indigocanada.wpengine.com\/?p=2769"},"modified":"2022-11-08T16:16:59","modified_gmt":"2022-11-08T21:16:59","slug":"ten-best-practices-for-embracing-zero-trust-iam","status":"publish","type":"post","link":"https:\/\/www.indigoconsulting.ca\/fr\/blog\/ten-best-practices-for-embracing-zero-trust-iam\/","title":{"rendered":"Ten best practices for embracing Zero Trust IAM"},"content":{"rendered":"
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

\"\"<\/p>

The world has changed a lot in the past two years. And while there’s still little certainty about what the future may bring, one thing <\/span>is <\/span><\/i>clear. There’s no going back to the way things used to be.\u00a0<\/span><\/p>

For better or worse, this is the new normal. A landscape defined by digitization and distributed work. On the one hand, this is excellent \u2014 it creates new revenue streams, improves productivity across the board, and has the potential to revolutionize how businesses operate.\u00a0<\/span><\/p>

On the other hand, it’s also fraught with risk. Threat surfaces are now more expansive and complex than they’ve ever been. Cybercriminals have wasted no time seizing the opportunity.<\/span><\/p>

Last year, for instance, <\/span>software-based supply chain attacks hit three out of five companies<\/span><\/a>. This resulted in some of the highest-profile breaches in recent memory, including Solarwinds, Microsoft Exchange, and Colonial Pipeline. At the same time, criminals modernized and streamlined their own infrastructure and approach, with ransomware-as-a-service platforms reaching greater market penetration than ever before.\u00a0<\/span><\/p>

In such a climate, traditional access controls are no longer sufficient. The security perimeter of yesteryear is obsolete; device and password-based authentication cannot protect critical assets on their own. To survive, businesses must adopt a new, identity-based approach to access management.<\/span><\/p>

Zero trust represents a cornerstone of that framework. It is the bread-and-butter of Identity and Access Management (IAM), a pillar of cybersecurity in a distributed, post-COVID world. It also isn’t something you can apply without planning, knowledge, and foresight.\u00a0<\/span><\/p>

To that end, let’s go over ten major best practices underlying the effective application of zero trust.<\/span><\/p>

\u00a0<\/h2>

Always Verify<\/b><\/span><\/h2>

Traditional access management is predicated on the idea that some devices and users are implicitly trustworthy. Their access is unquestioned and their privileges are unchallenged. Zero trust turns this idea on its head.\u00a0<\/span><\/p>

In a zero trust framework, there’s no such thing as implicit trust. Every device, no matter where and how it connects, must be actively verified and monitored. The same is true of every user \u2014 not even your own administrators are above reproach in this framework, nor should they be.<\/span><\/p>

\u00a0<\/h2>

Multi-Factor Authentication (MFA) is a Must<\/b><\/span><\/h2>

On the topic of verification, the more layers of authentication in your sign on process, the better. Each layer represents another barricade with which criminals must contend. Another potential stopping point for anyone trying to gain unauthorized access to your network.\u00a0<\/span><\/p>

SMS codes represent the most common type of MFA. However, they are the least secure option by far. Much has already been written about the security failings of SMS, which is <\/span>vulnerable to everything from spoofing to SIM swapping<\/span><\/a>. Instead, you should maintain mindset that authenticating factors all fall under one of the following umbrellas, and a strong approach to MFA requires one or more from each:\u00a0<\/span><\/b><\/p>