I have a good friend who has a small business (roughly 100 employees and two office locations; everything lives in the cloud, no real “network” to speak of) that is doing well. A few weeks ago, over barbecue and range time (some folks play golf, we shoot guns . . . it’s a Texas thing), we started discussing what he was doing to protect his fledgling enterprise.
His answer to my first question, “So, what’s the security strategy?” was shocking — basically nothing. Nothing other than he had an “IT guy” that was running the network for him and basically used a spreadsheet to track everything. That’s it.
He coyly smiled and said, “That’s not good huh?”
“No, that’s a guarantee that you are headed for disaster, dude. Like disaster on the level of playing-hopscotch-blindfolded-in-a-mine-field bad.
“OK, so let’s be real about this and figure out what you should do. What’s your acceptable level of spending pain when it comes to securing the future of your company?”
“Uh, 40 grand.”
“Jeez. OK, so you’re a cheapskate. Since I bought the beer last time, that’s not news.”
So following our discussion, and learning that he basically wanted to spend less on IT security than he would likely spend on his company office party, I started to think of how we could apply Zero Trust principles and use the ZTX framework to help him.
I created a plan based on my ZTX framework by focusing on what I could control, working from critical control areas within the network to the outer perimeter, and being pragmatic about what tools I might leverage. Here is a link to the report if you’re unfamiliar with Zero Trust or ZTX.
First, we needed to have a way to control how and when his users were accessing things that were important to his business. Along with that, he also needed to push (mandate) that encryption was used in some form. The encryption in use needed to be something that his users and employees could not only comprehend the need for, but also be able to use readily, and frankly, not screw up.
Second, he needed to leverage some sort of endpoint protection on all company-issued laptops (which were currently running NOTHING).
And finally, he needed someone who was tasked with managing, controlling, and maintaining his security (notice I didn’t mention his network or IT systems, I said SECURITY). Basically, he needed a security engineer that would be contracted or employed by his company to do nothing but conduct audits, analysis, reviews, and responses to any perceived or observed threat activity.
Doing this and following this simple strategy would not be a perfect solution and it wouldn’t be bulletproof, but it would be a vast improvement over his current security setup.
For the Zero Trust side of it, we focused on locking down access and applying granular controls to who accesses what. Every employee had to use two-factor authentication (2FA), encryption would be pushed to all user accounts, endpoints would have some form of protection running, and any threats or activities that might show up would have a dedicated response option.
Granular controls, managed access, protecting the data that matters, leveraging encryption, and having a means to do something within the infrastructure as-needed sounds like a Zero Trust strategy to me.
- Endpoint protection: Cylance, Symantec, or Trend Micro were a few of the tools I considered. To be honest, it would depend on pricing. (I didn’t ask for quotes, but after a bit of digging, I estimated this would be around $8K in subscription costs.)
- Cloud-based tool suite: Google Suite. They already had everything in Google, and they sure weren’t going to spend more than Google does on cloud ops and security. Also, this system allowed us to push 2FA to his “enterprise,” which would immediately increase his security posture. GSuite costs here were relatively cheap over the course of the year, at about $3K for everyone to have an account and to run the full gamut of GSuite.
- Encryption: There are a variety of tools that might work, but for this exercise I looked at Virtru. (The tool integrates with GSuite, is very easy to use, offers audit and control remotely, and allows the security engineer to see who is doing what with respect to encryption.) Costs on this were hard to be specific with as I didn’t get actual quotes, but my estimate puts it around the same price as the AV, so let’s call it $8K as well.)
- Access control (IDaaS): Again, there are a variety of tools, and GSuite has its own sort of embedded system that could work. But a few of the tools I would consider might be from Centrify, IBM, Okta, and Ping Identity or ForgeRock. (Costs weren’t specific, but estimates put it around the $8K to $10K range.)
- Security engineer: Asking around to some folks that do this type of work and have the talent, the hourly rate for a quality engineer to monitor this and have solid command and control of things was about $150 an hour. Since he already had an “IT guy,” and his business would probably not need a security engineer 24×7, we decided on a part-time, on-call-as-needed security engineer. The pricing for this was about $150 an hour, and they would contract to 10 hours a month, so that would be about $18K a year.
So, the total costs on this (and it is an estimate) would be about $45K, give or take. In truth, probably around $50K by the time everything settled out. For what was a relatively “cheap” budget estimate, he would have a relatively secure cloud infrastructure, a protected email system, IDaaS, an encryption solution, AV/endpoint protection on his laptops, and a dedicated human resource to respond and manage his new security infrastructure. Not bad.
While there could be a million ways to skin this cat, and any one of a hundred plans and strategies would have been better than the epic fail he’d had in place, using the simple strategies and concepts within Zero Trust allowed us to improve his company’s security posture and provided a clear and concise way to communicate what was needed and why. My friend still had a way to go to be fully functional with total security, but this was the right place to start. Now his network is more secure, his users are controlled, he can see who is doing and accessing what, his intellectual property is better protected, and his business is safer.