Should Your Cybersecurity Strategy Incorporate the Zero Trust Model?

Should Your Cybersecurity Strategy Incorporate the Zero-Trust Model?

Zero-trust has taken over the security world and become a popular buzzword, but what is it? Why is it so important? This popular security framework centers on the philosophy that organizations shouldn’t automatically trust users or devices—not even those inside the network perimeter.

Instead, zero-trust demands organizations verify the identity and trustworthiness of every user and every device before granting access to sensitive resources. As the say goes, “Never trust, always verify.”

Traditional Firewall Security Limitations

When companies based their security on the firewall approach to protecting the network perimeter, only trusted users and devices could access the network. While it worked well for a time, it had plenty of limitations. Zero-trust minimizes those limitations to create an even more secure network and cloud environment.

Let’s explore a few firewall security limitations.

1. Making assumptions of trustworthiness

The firewall approach assumed that all users and devices within the network perimeter were trustworthy. It was (and still is) a dangerous assumption because it leaves organizations vulnerable to attacks from malicious insiders who gained access to the network.

2. Assuming the perimeter’s secure

Firewalls relied on the network perimeter being secure—always. The problem with this assumption is that it doesn’t account for attackers who could still gain access through other means, like using stolen credentials or exploiting software and network infrastructure vulnerabilities.

Why Organizations Have Shifted to Zero-Trust

Making the above assumptions puts companies at risk, making the firewall approach to security an inadequate solution in today’s complex and interconnected world. The result? A new security strategy: zero-trust.

Zero-trust emphasizes the verification of both the identity and trustworthiness of every user and device. Then, and only then, can they access sensitive assets or resources.

The Zero-Trust Approach

Zero-trust’s security framework is built on the “never trust, always verify” philosophy, which means:

  • Continual monitoring of all users, devices, and applications
  • Activity, identity, and device verification before granting network access

This approach eliminates reliance on perimeter-based security measures, instead focusing on securing access to data and resources within the network.

Zero-trust also emphasizes the importance of authentication and access controls, including using multiple factors of authentication:

  • Passwords
  • Biometrics
  • Token-based authentication

These measures ensure that only authorized users gain access to resources.

Another tenet of zero-trust is constant monitoring (through tools like network and endpoint security) of both user and device activity, which can alert security teams the second these tools detect suspicious activity.

But you’ll also want to regularly test and update security controls, constantly checking for unknown vulnerabilities. Security assessments that use both internal and external expertise and resources can help protect your organization against unknown or future threats.

Zero-trust is crucial for protecting your enterprise organization. By implementing this security strategy, you can arm yourself against the increasingly sophisticated and persistent threats your face in today’s digital world.

Are You Ready to Implement Zero-Trust?

If you’re ready to up-level your security, Lightstream can help. We strongly believe zero-trust is essential to any security strategy that aims to protect your data, network, and organization—which is why we offer a full suite of zero-trust solutions:

  • Readiness assessments
  • Consulting
  • Managed services

We often act as extensions of our clients’ security teams, helping protect you 24/7. And we use a zero-trust framework to do so.

Adopting the zero-trust approach can drastically reduce the risk of data breaches and other security threats. It can also help protect your reputation and ensure your data and resources remain secure.

So, if you want to learn more or are ready to implement it, contact us today.

5 Reasons The Pentagon Implemented Zero Trust (And Why You Should Too)

3 Simple Concepts to Consider with Zero Trust

Never trust, always verify

According to the World Economic Forum, zero trust is the way forward—and the US government agrees. “The zero trust model has been widely recognized as an effective approach to prevent data breaches,” which is why the Department of Defense is working to advance toward zero trust architectures. The Pentagon recently announced its intention to implement an enterprise-wide zero-trust framework by 2027, which comprises over 100 activities and pillars, including users, devices, data, networks, workloads, visibility, and orchestration.

Pentagon Chief Information Officer (CIO) John Sherman explained the decision to move toward a zero-trust implementation:

It doesn’t represent a defeat, it doesn’t mean that we’re not strong cyber defenders. But it recognizes that we live in a very sophisticated threat environment. We’ve got to defend differently. We can’t just defend at the perimeter.

The Pentagon is committed to transitioning network defenses to a zero-trust architecture in just a few short years for several reasons:

  • Attackers are becoming more sophisticated and using advanced methods to steal sensitive data, attack the supply chain, and more

  • The threat environment is ever-evolving and we need to adapt to ensure we build products to operate securely

  • To establish baseline security standards

  • An increased ability to detect malicious cyber activity

It’s a proactive approach to ensuring data security in the cloud and beyond. Zero-trust is good enough for the Department of Defense—and it’s good enough for you too. Let’s explore why.


Want to Learn More About Zero-Trust?

Whether you’re ahead of the game and have already started on your zero-trust journey or are looking for a provider to help you implement the zero-trust framework, Lightstream can help. We’re experts in all things cloud security and partner with zero-trust specialists to strategize, build, and implement zero-trust architectures. 

We’re happy to answer any questions you have, but if you’re just getting started, review our articles on zero-trust:

  1. The 5-Step Model to Implementing Zero Trust
  2. 3 Simple Concepts to Consider with Zero Trust

Ready to get started? Contact us today for a consultation.

Secure Access Service Edge and Zero-Trust: The Ultimate Security Solution

Secure Access Service Edge and Zero-Trust: The Ultimate Security Solution

With more businesses going hybrid or fully remote and data breaches on the rise, organizations are scrambling to ensure data and application security at every level. As security has become even more paramount, more and more organizations are implementing a zero-trust security model, which has slowly become the standard for cloud security.

But savvy organizations are also deploying more advanced security principles, including secure access service edges (SASE). And despite occasionally being incorrectly positioned as either/or solutions, zero-trust is actually a foundational part of a SASE architecture.

Let’s explore how this dynamic duo works together to create even more secure networks and cloud environments.

What is SASE?

Gartner coined the term SASE just a few short years ago, in 2019, to explain an emerging cybersecurity principle, which integrates security into the network architecture to deliver consistent and secure access, no matter where users, applications, or data are.

It brings together wide area networking (WAN) and network security services, including cloud access security broker (CASB), zero-trust, secure web gateway (SWG), and firewall as a service (FWaaS) into a single, cloud-delivered service model.

What is Zero-Trust?

While zero-trust and SASE are newer philosophies, zero-trust is a bit more established. Forrester Research first coined the term in 2010 to sum up the principle of least privilege (POLP) to network access.

Zero-trust is a strategy based on the idea of “never trust, always verify” that requires continual authentication and verification before granting access to your network, data, and applications. A few tenets include:

  • Implementing a POLP strategy and strict access control
  • Ensuring secure access to resources from anywhere
  • Inspecting and logging all traffic

How do SASE and Zero-Trust Work Together?

When you think of SASE and zero-trust, think of them as parts of the same security vision. They both work to protect your data, applications, and assets in the cloud using dynamic perimeters and user verification.

SASE deploys security via the cloud, whereas zero-trust uses the POLP principle to ensure security. But instead of working separately, zero-trust is part of the SASE framework. SASE is what establishes and enables zero-trust network access (ZTNA).

SASE combines network and network security components in a single cloud-based service—one such component is ZTNA. Without ZTNA, there’s no point in deploying SASE. But once you implement ZTNA and build it into your SASE architecture, you can consistently enforce your security policies throughout your entire network, providing much stronger network security.

Together, SASE and ZTNA allow for the decentralized network distributed teams need while providing high levels of security. Users get the access they need—from any location or device—and organizations get the security they need to protect assets and data.

Ready for SASE and Zero-Trust?

Whether you’re looking to ramp up your security efforts or have implemented parts of your SASE architecture but need help rolling everything out, Lightstream is here to help. Our team of experts has decades of experience with cloud security and partner with industry leaders to deploy zero-trust and SASE solutions.

If you’re ready to get started or have questions, reach out to Lightstream.

The 5-Step Model to Implementing Zero Trust

The 5-Step Model to Implementing Zero Trust

As data breaches and cyberattacks have become commonplace, organizations are finding themselves doing more and more to defend themselves and improve their network and cloud security. One such effort includes developing and deploying a zero trust strategy, which, at its core, follows the “never trust, always verify” principle. Implementing a zero trust strategy and architecture can prevent cybersecurity attacks, including data breaches.

Zero trust is an augmentation of your existing architecture, making it simple to deploy, regardless of your technology. Implementing zero trust takes an iterative approach that allows you to learn and reflect before adding any improvements to new iterations—all of which help build a more resilient and secure environment, made up of people,  processes, and systems..

Ready to get started? Follow the 5-step method On2It outlines below to deploy a zero trust network within your organization.

Step 1: Define the Protect Surface

As attack surfaces continue to expand, it’s no longer feasible to work endlessly to reduce them. It’s hard to define or defend against, which is why zero trust focuses on a protect surface instead. Identify the data, applications, assets, and services (DAAS) elements you want to protect and encompass them in your protect surface. Each protect surface contains a single DAAS element, and every zero trust environment has multiple protect surfaces.

Your DAAS elements help define the sensitive resources that should go into individual protect surfaces. This includes:

  1. Data. The sensitive data that can wreak havoc if it’s misused or exfiltrated. Examples include payment card information (PCI), protected health information (PHI), personally identifiable information (PII), and intellectual property (IP).
  2. Applications. The off-the-shelf or custom software applications that interact with sensitive data or control critical assets and business processes.
  3. Assets. Often, these include information technology (IT), operational technology (OT), or internet of things (IoT) devices such as point of sale terminals, SCADA controls, manufacturing systems, and networked medical devices.
  4. Services. Sensitive services that are exceptionally fragile. Examples include DNS, DHCP, ActiveDirectory®, and NTP.

Step 2: Map the Transaction Flows

Mapping the transaction flows to and from the protect surface shows how various DAAS components interact with other resources on your network, helping you determine where to place the proper controls and how to protect data. How traffic moves across the network, specific to the data in the protect surface, determines the design.

As you map your transaction flows, ask yourself:

  1. Can I do this on my own?
  2. Do I have the capabilities and technologies to extract the flow of information from my environment?
  3. Do I have the technology in place that can do data discovery or flow identification?

Next, identify users’ density and privileges, applications, and services and map the transaction flows between your protect surfaces to document which traffic or transaction flows are active between the protect surfaces.

Step 3: Build a Zero Trust Architecture

Because zero trust frameworks are decoupled from technology, they can be completely customized—they are built around protect surfaces. The next step is to define and build a zero trust architecture, including associated security measures. Start with a next-generation firewall that acts as a segmentation gateway, creating a micro-perimeter around your protect surface.

According to Palo Alto Networks, you can enforce additional layers (all the way to Layer 7) of inspection and access control for anyone or anything trying to access the resources defined within your protect surface.

Step 4: Create a Zero Trust Policy

The next step in implementing your zero trust strategy is to create a zero trust policy. You need to instantiate zero trust as a Layer 7 policy statement, which requires Layer 7 controls. Use the Kipling Method of zero trust policy writing to determine who and what can access your protect surface.

The Kipling Method answers the who, what, when, where, why, and how questions, allowing you to define:

  1. Who should be allowed to access a resource?
  2. What application is used to access a resource within the protect surface?
  3. When is the asserted identity allowed to access a resource?
  4. Where is the resource located?
  5. Why is the user allowed to access the resource within the protect surface?
  6. How can a user get access and through which application?

Step 5: Monitor and Maintain the Network

The final step of the 5-step methodology is to monitor and maintain the network. It involves inspecting and logging all traffic, including through Layer 7. The telemetry this process provides doesn’t just help prevent data breaches and other significant cybersecurity events, but also provides valuable security improvement insights. Each protect surface becomes more robust and better protected over time.

Remember, zero trust takes an iterative approach, so inspecting and logging all traffic will provide insights that can help you improve your network, iteration over iteration.

Implement, Learn, and Repeat

After you’ve worked your way through this methodology, you can expand and iterate to fully move your DAAS elements from your existing network to a zero trust architecture that can better protect your data. Use this approach and the Kipling Method to get started and take your learnings from each iteration to improve. And if you need help getting started or maintaining your zero trust strategy and architecture, we’re here to help. Contact us today to get started.

3 Simple Concepts to Consider with Zero Trust

3 Simple Concepts to Consider with Zero Trust

Every Zero Trust strategy follows this simple principle: never trust, always verify. Building a Zero Trust architecture prevents cybersecurity attacks and data breaches using protect surfaces. Organizations build many of these protect surfaces around their most valuable data, assets, applications, and services (DAAS), significantly reducing the overall attack surface to better protect their businesses.

These 3 Simple Concepts to Consider with Zero Trust  have remained the same since John Kindervag coined the term “zero trust” in 2010. They are:

  1. Trust
  2. Access control
  3. Logging and inspection

Let’s first explore the concept of trust.

Concept 1: Trust

The “never trust, always verify” concept centers on Kindervag’s claim that removing trust from a network makes it natural to ensure secure access to all DAAS elements, regardless of who creates traffic or where it comes from. Eliminating trust means assuming that all traffic is a threat until it has been verified that it is authorized, inspected, and secured. Kindervag suggests starting with the protect surfaces that need protection and working your way outward.

Concept 2: Access Control

The second concept, access control, should help determine who needs access to a specific resource to do their job. Many organizations give too many users access to sensitive data instead of implementing the Principle of Least Privilege. This principle states that a user should only be granted access to those privileges necessary to complete a task. If they don’t need access, they shouldn’t be given access.

In a Zero Trust architecture, a user asserts their identity and will then be granted access to a particular resource based on that assertion. They’re restricted to the resources they need to perform their job only. Kindervag suggests using the Kipling Method to create easily understandable access policies.

Concept 3: Logging and Inspection

The third concept dives into the “always verify” part of zero trust. Instead of inherently trusting users to do the right thing, you must verify they are doing the right thing. You can do this by logging and inspecting all traffic coming to and from protect surfaces for malicious content and unauthorized activity (through Layer 7).

Instead of taking a reactive approach, logging and inspection in a Zero Trust environment is proactive, acting as a foundation for real-time protection and ensuring you deploy all your protect surface policies correctly.

Ready to Deploy Zero Trust?

Are you ready to implement a Zero Trust environment in your organization? We work with partners like On2It to walk through these three concepts, the Kipling Method, and implementation to ensure your business is as secure as possible. So, if you’re ready to move to a Zero Trust architecture, contact us today to get started.

Cut Data Transfer Costs With CloudFront & Lightstream

Cut Data Transfer Costs With CloudFront & Lightstream

With a global pandemic, record-high inflation, and the Great Resignation all contributing to economic uncertainty, many businesses have put hiring freezes in place, laid off hundreds of staff, and delayed projects indefinitely. Everyone is trying to manage costs and cut where possible.  One solution is to cut data transfer costs with CloudFront & Lightstream.

And while many organizations are already using a Content Delivery Network (CDN) to manage data transfer costs and provide customers with a seamless experience. But did you know you could save up to 85 percent more each month by working with an AWS partner?

Why Lightstream?

As an AWS partner, we’re not only knowledgeable about all things AWS, but we also keep up-to-date on best practices and are well-versed in optimizing AWS services for our clients. We help them find solutions that save money, provide the most security, and allow them to innovate faster than ever before. We also pass significant savings onto our clients–up to 85 percent, to be exact–with volume purchasing.

So, before you lay off members of your IT team or bring projects to a halt, consider working with Lightstream and potentially save tens of thousands every month.

Why AWS CloudFront? 

Consumers expect lightning-fast websites, quick downloads, and seamless video streaming–they won’t wait for your site to load or for the buffering screen to go away. Delivering a great user experience quickly is paramount. Most organizations already use a global CDN like CloudFront to deliver this experience. Using a network of over 200 Points of Presence (PoP) that cache and deliver content to its users, CloudFront is a common solution for businesses looking to balance a great user experience with data cost savings.

CloudFront leverages Amazon’s resilient, fully redundant, global backbone network for superior performance and availability–all of which give the user a great experience. And by moving the content physically closer to the user, companies can save significantly on data transfer costs.

Another way businesses have become more cost-efficient is by keeping everything in-house. AWS doesn’t charge transfer fees for origin fetches from an AWS server, which helps organizations realize even more savings. Some businesses are even taking advantage of the CloudFront Security Savings Bundle, which offers up to 30 percent savings if they commit to a monthly spend commitment.

Security is another reason businesses are choosing CloudFront. Security has always been at the forefront of the cloud, so it’s not surprising that CloudFront adds an extra layer of protection. The CDN adds security features at the edge location, using application- and network-level security assets to protect data against network and transport layer DDoS attacks. By integrating CloudFront with other AWS services like Web Application Firewall (WAF), you can protect against even more complex attacks.

Calculate Your Savings

Want to see how much you could save by partnering with Lightstream for your CloudFront services? Use our cost savings calculator and then get in touch to explore a partnership to cut data transfer costs with CloudFront & Lightstream.

Cut Data Transfer Costs With CloudFront and Lightstream

4 Reasons you need an Azure Virtual Desktop

Safe and secure virtual desktops for the hybrid and remote workforce.

Whether you’re an enterprise or SMB looking to provide secure desktops to your remote employees, seasonal workers, or consultants, Azure Virtual Desktop (AVD) is an excellent option. All you have to do is deploy the cloud-run work environments on any device.  Click the image to view 4 reasons you need an Azure Virtual Desktop.

Power Your Hybrid and Fully Remote Workforce

Safe and Secure

Enable your remote employees to work from anywhere without sacrificing security. Protect your data and your business with the included security controls.

Productive from Anywhere

Grant employees access to the information and applications they need on any device so they can work efficiently from anywhere.

A Consistent Work Environment

No matter where your employees work, they can enjoy the same virtual work environment and Windows or Linux experience they’d get on a local device.

All-Around Simplicity

A Simple Way to Manage Security

AVD makes it easy to ensure your business’ security by controlling access to your data and applications. This is especially important if you’re working with contractors, seasonal workers, or part-time employees who need temporary access to information.

Quick and Easy Deployment

Using Azure Portal, you can effortlessly deploy and manage your virtual desktops. Assign users, manage security controls, and access diagnostics—all in one place.

A More Cost-Effective Option

Only Pay When Virtual Desktops are On

AVD allows you to be more cost- effective by only paying for virtual machines (VM), networking consumed when virtual desktops are on and storage.

Limit Laptop Purchases

AVD makes it easy to customize and manage virtual desktops. You can use existing devices instead of purchasing individual laptops and spending the time and money to customize each one.

Use Existing Licenses

If you have existing licenses with Windows, you can access AVD. You don’t need to license additional software, lowering your total cost of ownership.

Flexibility that Meets Your Business Needs

Customize What You Share

Do your full-time employees need
the complete virtual desktop experience but want to limit what your contractors can access? AVD lets you choose what level of access you grant to your teams.

Automatically Scale Up or Down

AutoScale your virtual desktops
based on your demand. With AVD, you can adjust the number of virtual desktops as your workforce changes, scaling up for demand or reducing the number based on an exiting seasonal workforce.

Ready to Deploy? After reviewing 4 reasons you need an Azure Virtual Desktop, contact Lighstream.

If you’re ready to power your remote-first workforce with the best and most cost-effective virtual desktop service, Lightstream can help. We have helped dozens of customers across industries reap the benefits of Azure Virtual Desktop. We help them stay compliant with data regulations and configure environments securely to prevent data loss. Get in touch to get started with AVD.

How Do I Survive a Ransomware Attack?

Who Does Ransomware Target?

Ransomware attacks are no longer affecting enterprises only. They’re spreading to organizations of all sizes, maturities, and even across industries. Why? It’s profitable.

Many mid-market businesses have a false sense of security that ransomware attacks only happen to big corporations with millions to pay in ransom. But both enterprise and mid-market companies have valuable data attackers can hold for ransom.

How Do I Protect My Business?

(LINK) Protect your business using the 5 Ps of Preparedness approach:

  1. Program. Work with IT to align your cybersecurity program with your ransomware strategy to minimize the operational and financial impact of a ransomware incident.
  2. Policy. Work with leadership and the board to create a policy that explains how you will approach ransomware, including if your business will attempt to make a payment.
  3. Plan. Your plan should be concise, comprehensive, and simple. Who will provide external support, who will you empower to make decisions, and who will execute your plan?
  4. People. Identify strategic partners within your organization and external parties and clearly define their roles, inform them of their responsibility, and document their contact information.
  5. Practice. Consistently test your ransomware strategy to understand your ability to organize, execute, and improve response capabilities. This will ensure your preparedness.

What is the Ransomware Lifecycle?

Understand the ransomware lifecycle to prepare for and resolve it as quickly as possible. 

  1. Infection. Ransomware finds its way into corporate assets through phishing emails, a misconfigured cloud asset, and the exploitation of your open vulnerabilities.
  2. Communication. Ransomware communicates back to its control network, where attackers determine how they’ll attack your network.
  3. Discovery. Built-in mechanisms discover specific types of sensitive information for ransom, identify defensive measures, and help attackers maximize their impact.
  4. Data exfiltration and backup destruction. Ransomware components silently corrupt and disable backups and steal sensitive information.
  5. Encryption. Attackers silently and selectively encrypt your data, making your systems and data useless without decryption.
  6. Ransom demand. Ransomware attackers make ransom demands (typically in Bitcoin) to get your data back.
  7. Negotiation. Some ransomware attackers will negotiate.
  8. Decryption. You can pay the ransom to get the decryption keys, but there’s no guarantee attackers won’t leak or re-encrypt your data.

Top 3 Initial Infection Vectors

  • Phishing emails
  • Remote Desktop Protocol (RDP) exploitation
  • Software vulnerabilities exploitation

How Can Technology Help?

Apply a zero-trust security strategy to empower your security teams and leadership to move faster and more securely. At its core, zero trust believes we should not inherently trust any interaction, at any level. It focuses on setting up systems and applications that protect themselves from every other system, allowing them to defend against attacks by minimizing the impact of any single compromise or attack. 


Five areas of the NIST CSF to include if your cybersecurity and ransomware strategy:

  1. Identify. Operationalized identification, detection, and classification of critical and sensitive data
  2. Protect. Data and individual asset protection that prevent known threats and attack patterns
  3. Detect. Operationalized cyber attack and malicious software detection
  4. Respond. Integrated technology platforms that detect ransomware rapidly to contain it
  5. Recover. Recovery strategy that can scale


Are you prepared to defend against ransomware attacks? At Lightstream, we have helped customers build effective strategies to empower them to fight against ransomware attacks, and we can do the same for you.

We’ll assess your current strategies, build upon them, and help you mitigate as much risk as possible by preparing for and setting up the proper technologies to fight ransomware attacks.