The 5-Step Model to Implementing Zero Trust

The 5-Step Model to Implementing Zero Trust

As data breaches and cyberattacks have become commonplace, organizations are finding themselves doing more and more to defend themselves and improve their network and cloud security. One such effort includes developing and deploying a zero trust strategy, which, at its core, follows the “never trust, always verify” principle. Implementing a zero trust strategy and architecture can prevent cybersecurity attacks, including data breaches.

Zero trust is an augmentation of your existing architecture, making it simple to deploy, regardless of your technology. Implementing zero trust takes an iterative approach that allows you to learn and reflect before adding any improvements to new iterations—all of which help build a more resilient and secure environment, made up of people,  processes, and systems..

Ready to get started? Follow the 5-step method On2It outlines below to deploy a zero trust network within your organization.

Step 1: Define the Protect Surface

As attack surfaces continue to expand, it’s no longer feasible to work endlessly to reduce them. It’s hard to define or defend against, which is why zero trust focuses on a protect surface instead. Identify the data, applications, assets, and services (DAAS) elements you want to protect and encompass them in your protect surface. Each protect surface contains a single DAAS element, and every zero trust environment has multiple protect surfaces.

Your DAAS elements help define the sensitive resources that should go into individual protect surfaces. This includes:

  1. Data. The sensitive data that can wreak havoc if it’s misused or exfiltrated. Examples include payment card information (PCI), protected health information (PHI), personally identifiable information (PII), and intellectual property (IP).
  2. Applications. The off-the-shelf or custom software applications that interact with sensitive data or control critical assets and business processes.
  3. Assets. Often, these include information technology (IT), operational technology (OT), or internet of things (IoT) devices such as point of sale terminals, SCADA controls, manufacturing systems, and networked medical devices.
  4. Services. Sensitive services that are exceptionally fragile. Examples include DNS, DHCP, ActiveDirectory®, and NTP.

Step 2: Map the Transaction Flows

Mapping the transaction flows to and from the protect surface shows how various DAAS components interact with other resources on your network, helping you determine where to place the proper controls and how to protect data. How traffic moves across the network, specific to the data in the protect surface, determines the design.

As you map your transaction flows, ask yourself:

  1. Can I do this on my own?
  2. Do I have the capabilities and technologies to extract the flow of information from my environment?
  3. Do I have the technology in place that can do data discovery or flow identification?

Next, identify users’ density and privileges, applications, and services and map the transaction flows between your protect surfaces to document which traffic or transaction flows are active between the protect surfaces.

Step 3: Build a Zero Trust Architecture

Because zero trust frameworks are decoupled from technology, they can be completely customized—they are built around protect surfaces. The next step is to define and build a zero trust architecture, including associated security measures. Start with a next-generation firewall that acts as a segmentation gateway, creating a micro-perimeter around your protect surface.

According to Palo Alto Networks, you can enforce additional layers (all the way to Layer 7) of inspection and access control for anyone or anything trying to access the resources defined within your protect surface.

Step 4: Create a Zero Trust Policy

The next step in implementing your zero trust strategy is to create a zero trust policy. You need to instantiate zero trust as a Layer 7 policy statement, which requires Layer 7 controls. Use the Kipling Method of zero trust policy writing to determine who and what can access your protect surface.

The Kipling Method answers the who, what, when, where, why, and how questions, allowing you to define:

  1. Who should be allowed to access a resource?
  2. What application is used to access a resource within the protect surface?
  3. When is the asserted identity allowed to access a resource?
  4. Where is the resource located?
  5. Why is the user allowed to access the resource within the protect surface?
  6. How can a user get access and through which application?

Step 5: Monitor and Maintain the Network

The final step of the 5-step methodology is to monitor and maintain the network. It involves inspecting and logging all traffic, including through Layer 7. The telemetry this process provides doesn’t just help prevent data breaches and other significant cybersecurity events, but also provides valuable security improvement insights. Each protect surface becomes more robust and better protected over time.

Remember, zero trust takes an iterative approach, so inspecting and logging all traffic will provide insights that can help you improve your network, iteration over iteration.

Implement, Learn, and Repeat

After you’ve worked your way through this methodology, you can expand and iterate to fully move your DAAS elements from your existing network to a zero trust architecture that can better protect your data. Use this approach and the Kipling Method to get started and take your learnings from each iteration to improve. And if you need help getting started or maintaining your zero trust strategy and architecture, we’re here to help. Contact us today to get started.

3 Simple Concepts to Consider with Zero Trust

3 Simple Concepts to Consider with Zero Trust

Every Zero Trust strategy follows this simple principle: never trust, always verify. Building a Zero Trust architecture prevents cybersecurity attacks and data breaches using protect surfaces. Organizations build many of these protect surfaces around their most valuable data, assets, applications, and services (DAAS), significantly reducing the overall attack surface to better protect their businesses.

These 3 Simple Concepts to Consider with Zero Trust  have remained the same since John Kindervag coined the term “zero trust” in 2010. They are:

  1. Trust
  2. Access control
  3. Logging and inspection

Let’s first explore the concept of trust.

Concept 1: Trust

The “never trust, always verify” concept centers on Kindervag’s claim that removing trust from a network makes it natural to ensure secure access to all DAAS elements, regardless of who creates traffic or where it comes from. Eliminating trust means assuming that all traffic is a threat until it has been verified that it is authorized, inspected, and secured. Kindervag suggests starting with the protect surfaces that need protection and working your way outward.

Concept 2: Access Control

The second concept, access control, should help determine who needs access to a specific resource to do their job. Many organizations give too many users access to sensitive data instead of implementing the Principle of Least Privilege. This principle states that a user should only be granted access to those privileges necessary to complete a task. If they don’t need access, they shouldn’t be given access.

In a Zero Trust architecture, a user asserts their identity and will then be granted access to a particular resource based on that assertion. They’re restricted to the resources they need to perform their job only. Kindervag suggests using the Kipling Method to create easily understandable access policies.

Concept 3: Logging and Inspection

The third concept dives into the “always verify” part of zero trust. Instead of inherently trusting users to do the right thing, you must verify they are doing the right thing. You can do this by logging and inspecting all traffic coming to and from protect surfaces for malicious content and unauthorized activity (through Layer 7).

Instead of taking a reactive approach, logging and inspection in a Zero Trust environment is proactive, acting as a foundation for real-time protection and ensuring you deploy all your protect surface policies correctly.

Ready to Deploy Zero Trust?

Are you ready to implement a Zero Trust environment in your organization? We work with partners like On2It to walk through these three concepts, the Kipling Method, and implementation to ensure your business is as secure as possible. So, if you’re ready to move to a Zero Trust architecture, contact us today to get started.

Ransomware Attacks Now Targeting School Systems

Ransomware Attacks Targeting Schools

Ransomware attacks are nothing new. Thousands of businesses have fallen prey to malicious attackers for decades, paying billions in ransom and disrupting operations from a few days to a few months. And that number is only growing.

According to FortiGuard Lab’s 2021 Ransomware Survey Report, ransomware attacks have increased by almost 1,100% year-over-year. While we most often associate attacks with banks and mega-corporations, the truth is ransomware attacks are no longer for the enterprise only. K-12 and higher education institutions appear to be the latest victims, seemingly fueled by the 2019 COVID pandemic.

The COVID Impact on Ransomware Attacks

The COVID pandemic of 2019 disrupted our lives, how we learn, and our approach to work. As the world was forced to go remote, many organizations weren’t prepared for the shift to remote working and virtual learning. And neither were their security systems and teams.

The Information Systems Audit and Control Association (ISACA) explains how the threat landscape expandedwhen unprepared businesses and schools had to go remote to adapt to the pandemic. Employees, teachers, students, and consumers did everything remotely—shopping, teaching, learning, and working.

School systems became more digitally connected than ever before, using platforms like Zoom and Google Classroom to teach students virtually. And attacks like “Zoom-bombing,” where uninvited guests gain control of screens and disrupt classes, became more commonplace. With such a vast threat landscape, the vulnerabilities were virtually limitless.

The 2022 Labor Day weekend ransomware attack on the Los Angeles Unified School District (LAUSD)—the second-largest U.S. school district—is yet another example. Whether they’re attacking one of the largest districts in the country or a small, budget-challenged school district, school ransomware attacks spread far and wide. But the attacks are especially tough on smaller, poorer schools that lacked the resources and didn’t prepare for the immediate shift and technical requirements for remote teaching.

“School districts with limited cybersecurity capabilities and constrained resources are often the most vulnerable; however, the opportunistic targeting often seen with cybercriminals can still put school districts with robust cybersecurity programs at risk. K-12 institutions may be seen as particularly lucrative targets due to the amount of sensitive student data accessible through school systems or their managed service providers.” – FBI and CISA bulletin

But the LAUSD attack is far from the only educational institution impacted. The surge in ransomware attacks on schools has been so profound that President Joe Biden signed the K-12 Cybersecurity Act of 2021 into law to strengthen cybersecurity in schools. The act “directed CISA to work with teachers, school administrators, and private sector firms to develop recommendations and an online toolkit that can help schools improve their security, from securing student data to security challenges with remote learning.”

And after the LAUSD, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint bulletin warning of even further increases in attacks. That’s on top of the 1,000-plus educational institutions that have already suffered a ransomware attack since 2019.

Despite acts written into law and many warnings and bulletins, schools are still dealing with the ramifications of attacks by malicious actors.

The Implications of Ransomware on Schools

As the name implies, ransomware attacks use malware to “encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption. [They] often target and threaten to sell or leak exfiltrated data or authentication information if the ransom is not paid.”

Cybersecurity Dive, an online newsletter for news on cybersecurity, breaches, and threats, shared that, on average, higher education organizations reported average remediation of $1.42 million per attack. K-12 reported an even higher $1.58 million. While these financial payouts are a huge hit to schools, they’re not the only implication of ransomware attacks:

  • Unauthorized access to personally identifiable information (PII). ISACA highlights unauthorized access to confidential information, such as names, addresses, social security numbers, and financial details as one of the most important factors to consider. If accessed by the wrong people (attackers), students (and teachers or staff) could become victims of identity theft. And schools may have lawsuits on their hands for not properly caring for the highly confidential and valuable information hackers accessed in the data breach.
  • Delays, disruptions, and restricted access. The CISA security alert discussed some of the less critical but still impactful ramifications of data breaches within schools. These include restricted access to networks and data, delays in exams, canceled classes for the day, and downtime.According to a 2022 Sophos study of 730 IT professionals in the education sector, it takes twice as long to recover after an attack than with organizations outside of the education industry. Forty percent reported it taking more than a month, 31% said between one and three months, and 9% recovered between three to six months later.
  • The new ransomware target. Education just might be the new prime target for ransomware attacks. The same Sophos study revealed that educational institutions were attacked even more in 2021 than the previous year, impacting nearly two-thirds of higher education organizations. And for K-12? Ransomware hit more than half of them. The attacks have many implications, but for higher ed, 97% of respondents said they impacted their ability to operate, which can have long-term effects, like permanently closing their doors.

How You Can Fight Back

While ransomware attacks aren’t going away anytime soon, whether you’re a 40,000-student college campus or a small rural school, there are ways to fight back. We also recommend working with a team of security professionals who can set up and continually monitor your network to help prevent and mitigate the effects of a data breach.

So, if you’re ready to combat malicious attacks, contact us today to see how Lightstream can protect your school’s data from breaches.

Lightstream recognized as a top provider in MSSP Alert’s Annual Top 250 MSSPs List

Lightstream, a fully-integrated cloud, security, and network connectivity services provider, has been named a top managed security services provider by MSSP Alert for 2022.

Salt Lake City-based Lightstream makes MSSP Alert’s annual Top 250 list as a recognized top managed security services provider.

(Salt Lake City, UT. September 23, 2022) – Lightstream, a fully-integrated cloud, security, and network connectivity services provider, has been named a top managed security services provider by MSSP Alert for 2022. Known for their fanatical customer service and superior expertise in the cloud, security and network space, Lightstream ranked among other top providers on the annual Top 250 MSSPs list that tracks quality managed security services providers.

“Our customers at Lightstream partner with us knowing our world-class expertise and team of trained professionals will put their needs first, always ensuring they’re in good hands, and always focused on outcome-based solutions” said Jim Cassell, co-CEO of Lightstream. 

“Our obsessive focus on security when building, monitoring, and managing our customers’ cloud environments and networks gives them the peace of mind they need to focus on other areas of the business. Ranking as a top managed security service provider recognizes our approach to our customers and their security.” said Rod Stout, co-CEO of Lightstream. 

MSSP Alert is a CyberRisk Alliance resource that acts as the voice for managed security service providers. It provides the resources MSSPs, security-minded MSPs, and MDR providers need to build their way to managed security success.

The Top 250 MSSPs list is based on annual recurring revenues, profitability, business growth rate, cyber professional headcount, and managed security services offered. Those recognized on the list continue to grow faster than the overall managed security market.

To view the complete list, visit To contact Lightstream, visit our contact page.

About Lightstream

Lightstream is a fully-integrated cloud, security, and network connectivity services business, specializing in building and managing secure cloud environments and network solutions. The organization helps control operating expenses, mitigate security risks, and reduce system complexity to increase operational effectiveness so company’s can focus on business growth and innovation.

Founded in 2003 and headquartered in Salt Lake City, UT, Lightstream partners with leading enterprise and SMB organizations across the US and the globe to provide network, security and cloud solutions. They are passionate about solving complex technology challenges and delivering fanatical customer service.

Media Contact

Dan Davenport /


Mandatory 36-Hour Breach Reporting Window for U.S. Banks

Banks required to notify

In November of 2021, the Agencies, comprised of the Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC), and the Federal Reserve Board (FRB), passed a regulation that requires banks to notify regulators no more than 36 hours after they identify that a security incident (that rises to the level of a “notification event”) has taken place. The regulation required full compliance by May 1, 2022. FDIC-supervised banks will report incidents to their case managers while banks that are regulated by the Board of Governors of the Federal Reserve System will need to inform the board. The Agencies explain though that not every data security incident is a notification event. According to the rule, a computer-security incident is “an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores or transmits. An incident requiring subsequent notification is defined as a ‘computer-security incident’ that has disrupted or degraded a banking organization’s operations and its ability to deliver services to a material portion of its customer base and business lines”

Business Impact

While this requirement from the FDIC, OCC, and the FRB is new, most banks have already been using a 72-hour protocol for reporting. But with an even tighter timeline, banking corporations are going to have to ensure they’re reporting accurate information. Roger Grimes of KnowBe4 explains that in the rush to report quickly, more corporations will probably report inaccurately, which increases the liability risk. Banks will need to first identify if a notification event has taken place, and if they determine that’s the case, they have 36 hours from then to report.

Security Impact

Financial institutions are the backbone of the U.S. economy, according to Marcus Fowler, senior vice president of strategy engagements and threats at cybersecurity AI firm Darktrace, and are one of the most targeted sectors for cybersecurity threats. By establishing a tight window for breach reporting, banks can help restrict the scale of an attack and minimize the impact, protecting the “backbone” of our economy. Attackers try to harm as many victims as possible before defenders can address the issues, so the speed of reporting is vital in combating these cyber attacks.

Take Action

  1. Review the FDIC’s examples of notification events and set up parameters around what is and what isn’t a notification event
  2. Review incident response and business continuity plans to ensure compliance with the new reporting requirement


Lightstream recommends reviewing the new requirements and examining current policies and processes to ensure you’re compliant. Prioritize security by identifying what is a security incident and if that incident is a notification event. Use a comprehensive vulnerability management program to protect your banking corporation. We can help. Our full-stack vulnerability management programs keep you ahead of emerging threats and attackers.

 Read the full bulletin

VMWare Infrastructure Actively Exploited to Compromise Organizations

VMWare Infrastructure Actively Exploited to Compromise Organizations

VMWare Infrastructure Actively Exploited to Compromise Organizations. CISA, the Cybersecurity and Infrastructure Security Agency, has issued an emergency directive highlighting an escalation of successful attacks against commonly deployed enterprise components of VMWare virtual infrastructure. The directive points to an escalation of successful attack against a series of VMWare vulnerabilities that are exploited independently, or in combination, to fully compromise VMWare infrastructure in these organizations. While VMWare has issued patches for these vulnerabilities, attackers have quickly reverse engineered them to develop and weaponize exploits now appearing in the wild.

The attacks highlighted require network access, but successful attackers have utilized 3rd party network access and web exposed servers to compromise vulnerable VMWare components and gain full access.

Business Impact

Exploitation of this set of vulnerabilities gives attackers complete control over the VMWare virtual infrastructure. This means that critical business systems can be manipulated, destroyed, or silently monitored by attackers. If your organization depends on VMWare components highlighted below your business is likely at risk of compromise.

Security Impact

The CVE numbers for the critically impacted vulnerabilities are CVE-2022-22954, CVE-2022-22960, CVE-2022-22972, CVE-2022-22973; however, the primary point of attack has been CVE-2022-22954 which has a CVSS score of 9.8 (originally published 4/11/22) and results in a potential Remote Code Execution (RCE). It is recommended that any exposed components to the Internet should be assumed compromised and disconnected/investigated immediately. VMWare customers should also immediately deploy additional monitoring of their VMWare infrastructure and monitor for IOCs.

VMWare Infrastructure Actively Exploited to Compromise Organizations Urgent Actions Required

  1. Identify VMWare Workspace ONE Access and Identity Manager infrastructure, scan for vulnerabilities
  2. Disconnect/investigate infrastructure with missing patches exposed to the Internet, or 3rd party access
  3. Urgently apply missing patches described above in VMWare infrastructure, monitor for compromise


The vulnerabilities are present in the following VMWare components: VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager. These should be placed under heightened security monitoring, patches urgently applied (if not already done) and threat hunt activity should be initiated using the available Indicators of Compromise (IOCs). This situation highlights the criticality of operating a vulnerability management program.

 Read the full bulletin

Millions of Log4j vulnerable systems still unpatched

Log4j vulnerability unpatched

A recent survey by Qualys and published in SC Magazine suggests that after over 3 months, millions of Log4j vulnerable systems still unpatched, roughly 1 in 3 devices and installations that were affected by the Log4j vulnerability are still unpatched. This number amounts to roughly 22 million vulnerable application installations — and it should be noted that these are just the devices that are readily accessible from the Internet.

Log4j reached critical status towards the end of 2021 when it was discovered that a feature its platform could allow an unauthenticated attacker to take complete control over a remote system. The vulnerability was classified in CVE-2021-44228, and has been extensively discussed in cyber security as well as in a published flash with guidance from the government’s cyber security agency, CISA, who published guidance.

Business Impact

This Log4Shell vulnerability, as it’s been colloquially named, impacts business systems exposed to the Internet (and systems connected to them) and can result in compromise of system and data integrity, as well as complete take-over of a system or platform generating severe operational and financial business impact.

Security Impact

Using this vulnerability, attackers without credentials or otherwise
legitimate access can exploit this weakness in Log4j to issue system-level
commands, corrupting, disabling, or taking over a system. Subverted systems can
then be used to deploy ransomware or attack protected, critical systems and exfiltrate sensitive data from organizations bypassing security controls.

Urgent Actions Required

  1. Scan all systems, on-premise and in the cloud, with a reliable vulnerability scanner
  2. Triage all identified vulnerabilities, prioritize internet-accessible systems and connected devices
  3. Patch Log4j vulnerabilities with the highest priority – closing any open vulnerabilities


Lightstream recommends operating a comprehensive vulnerability management program and prioritizing issues like Log4j vulnerabilities as business-critical fixes.

If your organization does not have a functional vulnerability management program, Lightstream can help – we operate full-stack vulnerability management programs for our customers, keeping you ahead of emerging threats and attackers.

 Read the full bulletin

Lightstream Names Joe Vadakkan as Global Executive Vice President for Sales and Engineering

Cloud security veteran and key strategist joins emerging service provider to drive growth

Salt Lake City, UT, January 19, 2022– Lightstream, a leader in cloud security, digital transformation and managed services, today announced the hiring of Joe Vadakkan as the company’s new executive vice president for global sales and engineering. As an IT, cloud and security thought leader, Joe will lead Lightstream’s global cloud security engineering and sales organization to drive execution of customers’ cloud security strategies and elevate their innovation at scale.

“Joe is a prominent industry veteran with extensive leadership experience in cloud security sales and innovation, having driven many of the industry’s successful, secure digital transformations,” said Lightstream Co-CEO, Jim Cassell. “I’m excited to welcome him to Lightstream’s executive team, and I look forward to working with him on our mission to enable our global customers to progressively innovate and grow effectively with Lightstream’s cloud security solutions.”

“We are very excited to have Joe join the Lightstream team,” stated Rod Stout, Co-CEO of Lightstream. “His unique ability to help customers realize value and achieve desired business outcomes is unparalleled. With his in-depth knowledge in partner distribution strategies and his success in building and growing world class organizations, Joe will help Lightstream bring continuous value to its customers and achieve our growth objectives.”

Joe has over 20 years of technical and business leadership experience in the areas of global infrastructure and security, most recently having served in a strategic services leadership role at Optiv, a pure play cybersecurity firm. Prior to that, he was responsible for building and running Optiv’s cloud security organization. He has also held leadership roles and provided strategic guidance for startups, venture capital and private equity firms and Fortune 2000 companies.

“I am very excited to join the Lightstream team and look forward to taking the company’s technology and services innovation to the next level to fuel future growth,” said Joe. “Lightstream has a great business model and a talented team that are fast movers on solving customer needs. I believe it is uniquely positioned to accelerate secure client innovation through its Lightstream Connect platform for Microsoft Azure, AWS and Google and integration with a security partner ecosystem that enables it to compete in today’s global market.”

About Lightstream

Lightstream provides full-service cloud, connectivity, and security solutions to enterprises worldwide with a focus on managed services for all three, as well as cloud infrastructure implementation, security, and support.

Lightstream has been named multiple times as a Palo Alto Networks Public Cloud Partner of the Year, and is an AWS Security Competency Partner, an AWS Advanced Consulting Partner, and a Microsoft Cloud Platform Gold Partner with Security Competency. Visit us at or LinkedIn.

Media Contact

Cynthia Lawton / / 843-300-8445