Insight by AvePoint

Zero Trust Cyber Exchange: The workspace, zero trust’s 6th pillar

The Cybersecurity and Infrastructure Security Agency laid out five pillars in its Zero Trust Maturity Model: Data, networks, applications, identity and device.

But agencies need to consider a sixth pillar as they develop strategies and plans to move toward this new security approach, said Jay Leask, director of federal strategy and strategic accounts for public sector at AvePoint public sector.

Collaborative workspaces, like those in Microsoft Office 365, need to be part of the zero...

READ MORE

Shape

Zero Trust Cyber Exchange: AvePoint

One of the questions we’re asking the business owner is, ‘What is the expected level of sensitivity of the information within this?’ That allows us to programmatically set the security policies for each individual workspace, natively within Microsoft 365.

The Cybersecurity and Infrastructure Security Agency laid out five pillars in its Zero Trust Maturity Model: Data, networks, applications, identity and device.

But agencies need to consider a sixth pillar as they develop strategies and plans to move toward this new security approach, said Jay Leask, director of federal strategy and strategic accounts for public sector at AvePoint public sector.

Collaborative workspaces, like those in Microsoft Office 365, need to be part of the zero trust planning, Leask said during Federal News Network’s Zero Trust Cyber Exchange.

“When it comes to zero trust, it is built on your typical pillars of security. Is my device secure? Is my network secure? Is the application I’m using secure? Can I secure my data file by file or piece by piece? And, of course, are the users coming into my system the actual users they say they are in collaboration systems like Microsoft 365?” he said.

Why collaboration environments matter in zero trust

Thinking about the security aspects in these collaboration workplaces matters because there’s constant change — people being added and removed, creating items in draft formats and updating them multiple times, and then sharing files in many different ways.

“You start to realize that you’re relying on the user to tag content appropriately” to ensure that its sensitivity can be protected by the system automatically, Leask said. “What we’ve done with some of our customers is we’ve taken this intersection between the data and the user, and identified it as the ‘workspace.’ ”

In that way, an organization can then address the specific security needs of the users that access it and the data created and shared within in it, he explained. A workspace can be Microsoft Teams or SharePoint or any platform where users, devices and data come together.

Start by asking: How sensitive is your data?

“One of the questions we’re asking the business owner is, ‘What is the expected level of sensitivity of the information within this?’ That allows us to programmatically set the security policies for each individual workspace, natively within Microsoft 365,” Leask said.

That way, when a user creates a team or group, they can set the security and the privilege policies. For instance, he used the example of a Defense Department workspace that houses data governed by International Traffic in Arms Regulations. If someone attempts to add a foreign user, they would be out of compliance. “Knowing that this workspace is going to have export control data, locking that workspace down but not locking down the department workspace, which doesn’t have this type of sensitive information, really allows you to have an open collaboration system but then have a stricter security policy where needed,” Leask said.

As with any security policy, agencies will need to find the right balance and not overburden their security staff with requests for changes. That is where automation can help, he added.

“When I walk in and talk about being able to set policy on Teams the moment they’re deployed, based on some very basic business-level information and doing it automatically rather than requiring an administrator to pull up a script in PowerShell and run that script manually, that’s the kind of thing [agencies] are looking for today.”

To listen to and watch all the sessions from the 2022 Federal News Network Zero Trust Cyber Exchange, go to the event page.