Posted in Security Architecture on May 7th, 2019
The first principle of ZeroTrust is to verify everything. It sounds like a simple thing but in reality it affects how you build software, use authentication, share documents etc. If we start at the development process the base is that you can never trust any data. You need to verify it, so it conforms to […]
Read Full Post »
Posted in Security Architecture on Apr 25th, 2019
So in my previous post I started to look very briefly into the history of ZeroTrust. From that we learned that the hackers evolved into using more efficient tools that could easily penetrate the network security. The obvious goal of ZeroTrust is to strengthen the security. Without those measures the risk of being a victim […]
Read Full Post »
Posted in Security Architecture on Apr 24th, 2019
What is ZeroTrust? The name has its root in Jericho 2.0 (see the books downloadable from this blog here) and can be roughly translated to: ‘You can never know who roams your network so verify all access all the time. Never trust what you can´t verify.’ The implications of this affects the way we design […]
Read Full Post »
Posted in Security Architecture on Mar 20th, 2019
This might be interesting. A few hours ago I was contacted by a company that is providing consultancy within the automotive business. Apparently they have received a request for cybersecurity in car development and that is a completely new skillset for them so they have reached out to me to check if I´m the right […]
Read Full Post »
Posted in Security Architecture on Mar 15th, 2019
It is very interesting to see what happens when legal gets involved and starting reading paragraphs to the sourcing provider. Apparently we are now allowed to do more or less anything we want as long as we don´t make changes to service accounts or restart the servers. We have just deployed Azure ATP at the […]
Read Full Post »
Posted in Security Architecture on Feb 20th, 2019
Following the discussion with legal after my previous post we have got some guidance to move forward. Apparently this was a common business practice from the service providers side to minimise cost. When challenged by the legal department they quickly became more accommodating in helping us. This is something to take note of. Never allow […]
Read Full Post »
Posted in Security Architecture on Feb 2nd, 2019
Welcome to 2019, the year when we are supposed to know what we are doing. I´m currently experiencing an interesting situation with a customer. They have outsourced their AD to a service provider and right now I´m helping them to investigate a rather simple problem: What servers are using unsigned LDAP. There are a bunch […]
Read Full Post »
Posted in Business, Security Architecture on Jan 5th, 2019
What did my friend actually mean with bolted on? For sure he means a security solution that might or might not be well integrated into the operating system and even if that is a big issue in itself the real challenge was that the user interfaces sometimes mandated some serious training to be able to […]
Read Full Post »
Posted in Business, Security Architecture on Dec 23rd, 2018
A customer of mine have asked me to device a security strategy for them. This will be an interesting task. The background to this assignment was that I was doing a presentation of cost effective security management using MITRE Att@ck as an example to prioritise your actions. After the presentation their CISO came up to […]
Read Full Post »
Posted in Security Architecture on Dec 22nd, 2018
One of my core mantras when I discuss security is to do the right things first. So how do you know that you are doing the right thing, isn´t that what the risk analysis is for? Correct! Five points to Gryffindor! There is however a better way to move forward. Imagine that someone has already […]
Read Full Post »