News

Modern Security Best Practices from a Front-Line Expert

In today's rapidly evolving cybersecurity landscape, IT infrastructure is under constant siege from increasingly sophisticated threats. Ransomware, insider attacks, and supply chain vulnerabilities have escalated in both frequency and impact, leaving organizations scrambling to fortify their defenses. At the same time, the shift to hybrid work, cloud adoption, and AI-driven threats can make some traditional security models obsolete, demanding a more proactive and adaptive approach.

Zero Trust has emerged as a critical strategy here, emphasizing continuous verification and least-privilege access to mitigate risks before they escalate. And Zero Trust was a focal point in an online tech education summit session presented by John O'Neill Sr., a seasoned, front-line expert in Cybersecurity who serves as Chief Innovation Officer with Azure Innovators.

John's session, "Modern Security Best Practices," was just one part of a half-day, expert-led session titled "IT Security Trend Watch Summit: The Biggest Infrastructure Threats to Know," now available for on-demand replay.

"Ransomware has just become this huge elephant barging around the room, crushing anything it runs into. And that means that we really have to up our game when it comes to ransomware and ransomware as a service, similar things like that."

John O'Neill Sr., Chief Innovation Officer with Azure Innovators

John's hour-long session, complete with answering questions from a large online audience, covered a range of topics too big to list here, but following is a summary of some highlights.

Zero Trust Architecture
"This is one of the very important topics that all of us are really going for," John said." We see it in requests from partners and customers for our organization to verify how we're implementing Zero Trust, whether it be Zero Trust, networking architecture, overarching Zero Trust principles, that sort of thing."

Zero Trust Architecture
[Click on image for larger view.]

He explained how Zero Trust has evolved from a nebulous concept a few years ago into an absolute necessity, these days, describing it as still beautifully simple in its core principle of "never trust, always verify."

That evolution has resulted in an IT culture shift, which he defined: "It's the understanding that moving beyond perimeter based security is essential to success. We have organizations like Aetna implementing ZTA to reduce their attack surface surface and in some of the data that I've read, they reduced it by up to 86%, which is a huge shrinking of that attack surface. And it has a corollary to a reduction of security incidents by 68% over the course of a year."

Here are a couple key highlights:

  • Take Zero Trust absolutely to heart and make it part of your core security initiatives for this year and beyond. You don't have to go big and redo everything, but you do need to make consistent wins. So don't do what I've seen a lot, which is where folks go in and they go, 'Oh, it's just too big.' They get too big and they get overwhelmed, and they kind of spin in place. Just break it down as much as you need to, as small a task as you need to, to be able to define definitive actions you can take resources you can assign, and metrics you can measure so that you can get in there and get a win.
  • Increase your ZTA implementation, no matter how small, and then continue to do that over and over again, you'll be amazed at how quickly you will look back and see the increase in your security profile. So it's kind of like the edge that pennies add up, small wins become medium, wins become large, wins over time. So don't spin in place. Just get what you can get.

Key components of implementing Zero Trust include:

  • Identity and access management (IAM) foundation
  • Network segmentation with secure zones
  • Real-time monitoring and analytics
  • Device security and health verification
  • Data classification and protection

Those are fleshed out in the presentation.

Multi-Factor Authentication (MFA)
This has become a key component of modern cybersecurity, as this reporter, who moderated the event, nowadays has to constantly confirm some access code on my phone when I log into company systems for the umpteenth time, just like probably everyone else. John even characterized my gripes as "MFA fatigue." As frustrating as that is to me and other users, it's a necessary step in today's threat landscape.

Multi-Factor Authentication (MFA)
[Click on image for larger view.]

John noted MFA's ubiquity these days, and offered some advice.

"I won't go into as much detail, just because I know that many of us have already gone on this. Just understand that it's absolutely essential, not just for modern security, but to comply with most modern cyber insurance policies, audit requirements for financial control, all those different kinds of things. So if you're not doing MFA across the board, I suggest you design a strategy and a tactical plan to get that done, because that's huge. Now, passwordless is a great evolution of MFA.

He noted Microsoft's Entra ID platform support for passwordless. "That's going to be a huge help as we try and combat things like MFA fatigue that our users are seeing, and different stuff along with that. But you definitely want to make sure that you're implementing MFA across the board. It's not just for the IT team, the finance team. I mean, we're talking customer facing employees. We're talking partners who are connecting into your systems. Every identity should use MFA where possible."

Watch the on-demand replay to get his comments on advanced MFA methods including:

  • Hardware security keys (FIDO2/U2F)
  • Biometric authentication advances
  • Push notifications vs. one-time passcodes
  • Certificate-based authentication
  • Passwordless authentication strategies

While those are just two of John's modern security best practices, the on-demand replay will provide expert advice on many other topics, including endpoint security best practices, remote work security considerations, cloud security and more. The summit also features a presentation by Ian Thornton-Trump on "Top Emerging Attack Strategies," along with presentations and accompanying resources provided to the audience from sponsors of the summit, Okta and Wiz, who also presented sessions.

An important benefit of attending such events live (along with the chance to win a great prize raffle) is the ability to ask questions from the expert presenters, a rare opportunity to get one-on-one advice from experts coming directly from the front lines of cybersecurity.

With those factors in mind, here are some more free IT education presentations coming up from Virtualization & Cloud Review and sister publications.

About the Author

David Ramel is an editor and writer at Converge 360.

Featured

Most   Popular

Subscribe on YouTube