By Bob Michaud, Q2 Chief Security Officer
Every autumn, I look forward to cooler weather and, of course, National Cybersecurity Awareness Month—or, as you might know it, October. Because Q2 is a cybersecurity awareness champion, every week in October I like to share a weekly blog post on cybersecurity. This year, my blogs will focus on Q2’s journey to implement a Zero Trust framework – highlighting the importance of security in every digital strategy.
If you’re unfamiliar, Zero Trust architecture isn’t about a single, specific technology; instead, it’s a holistic approach to security that incorporates several different principles and technologies. Each week for the next month, we’ll explore Q2’s approach to the different principles and technologies we’ve chosen to implement as part of our Zero Trust framework.
Trust, but verify
Growing up on a farm in the Midwest, I learned to trust people. At times we might‘ve had to verify that trust, but in general, we had faith in people. As I grew up, though, and spent time away from home, I had to change my notion of trust. It took some time and a little more verification before I could really trust someone.
In the context of information security, trust has always been a primary function built into the fabric of the environment—a lot like it was part of my environment growing up. Now that the information security age has also grown up and become more distributed, the notion of trust has also changed. A username and password are no longer enough. It’s now a common requirement to know more about the user before allowing them access—such as the location from which they’re logging in. Extra layers of protection, such as firewalls, are also commonly used to ensure external threats remain external.
With the advent of mobile computing and mobile workforces, the notion of trust has continued to shift and created even more challenges. Additionally, the adoption of cloud computing and cloud applications has dramatically increased the risk of exposing sensitive data.
With all the technological and societal changes over the last few years, we’ve adopted a new mindset at Q2. Zero Trust is a security model based on the principle of maintaining strict access controls and not trusting anyone by default, even those already inside the network perimeter.
When discussing this strategy with Lou Senko, our CIO, I asked him, “How do you implement a Zero Trust framework?” His first response was, “You start with people.” To that end, Q2 has focused on evolving the organization by building a foundation of great talent, amplifying its reach and influence, and establishing Q2 as a thought leader across our 400+ financial institutions’ security, compliance, risk, and fraud teams.
Lou further explained why Q2 is implementing this framework. He noted that while there has to be a balance between security and convenience, implementing a Zero Trust framework reduces the threat of data loss and insider threat risks significantly—while still providing your employees with easy and convenient access. This is all a part of understanding and embracing the importance of all things digital. In the current environment, it’s more important than ever to have a cohesive and transformative strategy around digital technology that addresses user experience, data and, of course, security.
Join me next week as we discuss the next piece of Q2’s Zero Trust framework. We’ll discuss identity verification; specifically, the requirement for strict identity verification for every person and device trying to access resources.
Thanks, and happy National Cybersecurity Awareness Month!