Briskinfosec - Global Cybersecurity Service Providers
ZeroTrust framework is a security concept centered on the belief that organization should not automatically trust anything inside and outside. ZTF push organization to make layered security approach because we don’t have no control over attacker’s capabilities and motivations, but you can make it harder for attackers by reducing vulnerabilities. ZTF establish security requirements and controls that focus on normalizing the functional and non-functional security controls required when designing, developing and testing modern technologies.
Goal of the Zero Trust Framework (ZTF) is to identify the Trust Dependencies (TD) of any Application and Network to minimize the same. Trust Dependencies (TD) can be like a mist of confidence on Application Developers, Code reference, Security appliance, Platforms, DevOps Engineers, Managers, Customers and Partners etc. ZTF encourage to identify each trust dependencies on the organization should build an independent IT environment.
Deploying a Zero Trust model puts the security team back in control of applications by making security automated, scalable and infrastructure agnostic. The goal of the Security Test/Penetration Test is to identify security issues such as Code issues, Misconfigure issues and Best Practices. Our recent BINT lab research found cause of all cybersecurity issues exists because of Trust.
Let me explain this way,
When Developer developing the payment gateway application, he passes the CHD (CARDHOLDER DATA) and CVV in plain text in POST request.
What is the trust behind it?
Here developer trusted users as they won’t intercept the request to see what data process on POST request as they can see GET request alone in their browser URL.
TD – Under estimating Users knowledge/Behavior
Our traditional way of Security Test/Penetration Test brings comprehensive penetration test report with recommendation. Sadly, 80% of Stakeholders do not learn the cause of the existing security issues and how to avoid shortly.
To address this area, ZTF recommends security consultants/Penetration Testers to audit Application/Network respective of ZTF guidelines (Web, Mobile and Network) and give recommendations along with their bespoke penetration test report. ZTF helps stakeholders to aware the root cause of security issues (Mist of Confidence/Trust) to identify an active process to mitigate the same.
Is ZTF is an Independent Framework Or Customizable?
ZTF is the customizable framework. Security consultants can incorporate international standards (ISO 27001, PCI:DSS, HIPAA and NIST etc.) based best practices to minimize the risk. Right policy and procedures are always recommended to reduce the Trust dependencies. ZTF framework can be adopted by any industry to avoid emergency/Hot Fix situation. ZTF framework allows organizations to improve the overall process of the business with the highest level of security.
Is It Possible To Conduct Independent Audit On ZTF Adoption
ZTF independent audit is possible with the Penetration Test/Security assessment reports with the various level of interviews with the stakeholders. Conducting ZTF audit without proper security assessment reports are not advisable.
Key Areas To Implement ZTF:
Key areas to implement ZeroTrust Framework differs on the organization.
Benefits Of ZTF