Governance & Risk Management , Video , Zero Trust
Zero Trust: How to Manage Access to Applications
Soumak Roy Shares His Strategy to Map Access to Applications and NetworksSoumak Roy, vice president and global cybersecurity practice leader at SDG Corp. and winner of the ISMG Dynamic CISO award in the zero trust category, proudly says he implemented zero trust within a year. Roy shares his journey, learnings and strategies for a smooth zero trust implementation.
See Also: 2024 Threat Landscape: Data Loss is a People Problem
An essential component of zero trust is to map access to applications and networks, but Roy said the process isn't easy.
"Mapping access matrix with identity and network is cumbersome," Roy said. "It is not easily identifiable in a complex environment - who needs to access what, from what network, and which applications are to be allowed."
To demystify this, he applied the Kipling method of who, what, when, why and how. "This helped me answer some questions, like: Who should be addressing the resource? What applications are being used to access that resource, especially inside a secure area? When should a resource be accessed? Where is the packet destination to? How is the packet accessing the secure application throughout its life cycle?
"This was our building block for zero trust framework and with this level of granular enforcement, we ensured that only legitimate users and legitimate applications can communicate to their destination, and the rest all are by default blocked. This is the fundamental of zero trust."
In this video interview with Information Security Media Group, Roy also discusses:
- The various technologies he invested in for zero trust;
- How he secured legacy systems with zero trust;
- His advice to his colleagues on their own zero trust journeys.
Roy has more than 20 years of experience in cybersecurity. He has been in leadership roles across organizations and has expertise in both enterprise and consumer security - IAM, fraud and risk intelligence, infrastructure security, security operations and cyber intelligence.