ZTA! WTF? Get Ready for Zero Trust Cybersecurity
– an introduction originally published by my friends at GeoInvesting

WHY?
Deploying effective cybersecurity measures is an ongoing battle with cybercriminals; and cybercriminals, like conventional terrorists, have a built-in advantage.  It’s asymmetric warfare – just as it only takes one suicide bomber to breach a physical perimeter, it only takes one response to a phishing email to get past conventional “perimeter-based” IT protections, and thereafter it becomes easy to roam through target networks and extract sensitive data.
Zero Trust Architecture (ZTA) is a new approach to cybersecurity which can help address these problems, make cyberattacks more difficult and minimize damage when a breach does occur.  ZTA also supports recent trends in enterprise networks, such as remote users, BYOD and cloud-based assets. Careful implementation of ZTA principles can provide an effective, proactive approach to cybersecurity rather than reacting only when problems arise.
WHAT?
What is ZTA exactly? The U.S. National Institute of Standards and Technology (NIST) defines a standard appeoach in Special Publication 800-207.  Implementation details vary, but all address the limitations of the legacy perimeter-based approach, which assumes that only authorized users have access to the corporate network, and that one-time user authentication and access permissions are sufficient to protect sensitive data.  By contrast, ZTA assumes that a network breach has already occurred, and seeks to limit the damage. This is the “Trust No One, Verify Everything” approach.  All users, devices, and applications are potential threats – every user, device and network request is treated as potentially malicious and must be verified before accessing sensitive data or systems.
Some elements of the approach are outlined below, and many vendors offer a range of network equipment and software tools to address various aspects of ZTA.  Effective cybersecurity is not cheap, and these tools are necessary but not sufficient – indeed, employee awareness, training and commitment are key to the success of any cybersecurity plan.
HOW?
The most important technical capabilities and tools needed for ZTA are strong identity and access management (IAM), network architecture micro-segmentation to isolate different parts of the network, continuous monitoring and threat detection.
For IAM, a basic step is to implement multi-factor authentication (MFA) to identify authorized users. Most definitions of ZTA also require implementing the “Least Privilege” principle, similar to the “need-to-know” requirement used in controlling classified information – all users should have the access permissions needed to do their job, and no more! Role-Based Access Control (RBAC) can be used to assign every user a predefined role and restrict them to the access permissions allowed for that role. Privileged accounts need to be closely controlled and audited.
Devices accessing the network also need to be authenticated and validated, including checking configurations and compliance with cybersecurity requirements. In particular BYOD access to corporate networks (and corporate e-mail) should be rigorously controlled.
Micro-segmentation is the process of dividing an enterprise network into smaller, isolated segments to minimize the risk of lateral movement in the event of a security breach. Use network switches and routers that support VLANs or software-defined networking (SDN) technologies that enable the creation of virtual networks.
To implement continuous monitoring and threat detection, deploy security information and event management (SIEM) tools (either cloud-based or server-based), endpoint detection and response (EDR) solutions, and intrusion detection systems (IDS) to detect and respond to threats in real-time.
Conduct regular cybersecurity training sessions to educate employees about best practices, phishing scams, and the importance of password hygiene. Ensure there is an adequate backup regime (online and offline) to restore critical data after a breach or ransomware attack.
For SMBs with limited resources, ZTA can be implemented in phases, focusing on critical assets first. Open-source software tools may also be an option. Larger businesses or those with a larger cybersecurity budget should consider additional actions, including collaboration with industry-specific Information Security and Analysis Centers (ISACs), and third-party certification to industry standards (such as CIS, SCF or ISO/IEC 27001). All businesses should develop an Incident Response Plan and designate an Incident Response Team (or person!) to define and control what happens after a breach is detected.
Larger enterprises should also assess cybersecurity efforts in the broader context of corporate governance. They may already be required to comply with other data security requirements, such as the General Data Protection Regulation (GDPR), the Payment Card Industry Data Security Standard (PCI DSS), or local state based regulations in the US.
WHAT NEXT?
Don’t panic – moving to ZTA will help you stay one step ahead of cybercriminals by proactively identifying and mitigating risks. A culture of cybersecurity awareness and resilience helps protect valuable corporate assets and maintain the trust of customers and partners.

Social Equity in New Cannabis Legislation: How ESG practices are Promoting Social Equity in the Cannabis Industry
originally published (2023) by Sanford Royce GE63 Global Economy website

President Joe Biden recently issued his first veto, to block a measure which would have prevented managers of retirement funds from using Environmental, Social and Governance (ESG) considerations in investment decisions. Several US state legislatures have enacted restrictions on how state pension funds can use ESG criteria, and the future of ESG in the US remains clouded by its recent emergence as a hot-button issue embroiled in the ongoing politico-cultural wars. Despite this, most medium and large businesses, public and private, continue to report some form of ESG information, and many other stakeholders continue to evaluate and use the data in investment decisions.
In the European Union, the regulatory environment is much clearer – the recently-adopted EU Corporate Sustainability Reporting Directive (CSRD), which requires detailed sustainability reporting requirements, will be phased in starting in January 2024 for large companies, and will apply broadly by 2028.

So, despite these recent controversies, ESG reporting requirements will become increasingly important as investors and stakeholders continue to prioritize a company’s impact on society and the environment. The current status in the US – voluntary reporting using a range of ill-defined ESG criteria – seems likely to yield to a more structured regime with formal standards for reporting, new regulatory initiatives and perhaps more industry-specific requirements.

In the emerging US cannabis markets ESG is not optional – compliance and reporting with a range of ESG requirements is mandated by the state regulations which control licensing of cannabis businesses. The new cannabis legalization efforts in many US states provide illustrative examples of how ESG reporting can work (or not). Reporting regulations are often burdensome and violations can result in business shutdowns and suspension or denial of licenses. The regulations typically have several key objectives:

• track in-state commerce (often from “seed to sale”) in cannabis to facilitate collection of tax revenues
• prevent diversion to grey and black markets
• allow for product recalls if cannabis products fail mandatory testing.

Medical marijuana programs have been in place for some time, recreational use is now legal in about 30 states, and some form of federal decriminalization is expected within a few years. Most states that have recently legalized cannabis have incorporated some type of “social equity” provisions, designed to ensure that individuals and communities that have been disproportionately affected by the war on drugs have an opportunity to participate in the legal cannabis industry. This can include provisions such as targeted licensing and funding for individuals and communities that have been disproportionately impacted, as well as requirements for companies to hire a certain percentage of employees from these communities.

In addition to social equity provisions, ESG reporting requirements can also relate to the environmental impact of cannabis cultivation and production. For example, companies may be required to report on their efforts to reduce energy consumption, water usage, and greenhouse gas emissions. Additionally, companies may be required to disclose information about the chemicals and pesticides used in their cultivation and production processes. Governance provisions may include restrictions on Management Services and Financial Services Agreements (MSAs and FSAs) in an attempt to prevent predatory partnerships with larger cannabis companies.

These provisions (and detailed legislative requirements in general) vary widely from state to state, but are generally designed to spur the creation of new “microbusinesses” in the cannabis industry, which is currently dominated by the large “multi-state operators” (MSOs), mostly public companies (Toronto TSX/TSXV) with revenues over $100MM. The social equity provisions have been controversial and subject to many legal challenges, some successful (e.g., residency requirements have recently been struck down under the Interstate Commerce Act). Compliance is expensive for a new small business, and so far the results have only minimally improved microbusiness participation in the industry.

The Minority Cannabis Business Association (MCBA) summarized the state of current social equity provisions in their 2022 summary – “The number and efficacy of state social equity programs does not reflect the expressed commitment to achieving equity through cannabis.”

So what lessons can we learn for ESG reporting from the cannabis social equity experience? Here are some suggestions:

• Stable and Robust Regulatory and Reporting Requirements
Cannabis legislation and social equity requirements vary widely, from states with minimal social equity rules to those with elaborate provisions. In some states the rules have changed regularly as a result of legal challenges or new legislative objectives. In the wider ESG context, organizations such as the Sustainability Accounting Standards Board (SASB) and others are currently drafting proposed standards for ESG. Industry standards will accelerate ESG adoption and help prevent companies from gaming the system by cherry-picking favorable evidence in their reports.
• Industry-Specific Requirements
Implementing and reporting on social equity requirements for cannabis is expensive, particularly for small businesses, so much so that legal markets generally can’t compete on price with the still-thriving black market. In the broader context, industry-specific requirements could reduce reporting costs for participating companies and help investors focus on their personal priorities for corporate ESG efforts.
• Industry-Wide Applicability
Although requirements might effectively be developed on an industry-specific basis, the overall applicability of new regulations should be as broad as possible. For example, reporting requirements for small businesses could be less, or requirements could be modular so that private companies could also choose to participate on a voluntary basis. The EU Corporate Sustainability Reporting Directive provides a useful framework for possible industry-wide standards.

As more states legalize cannabis, it is likely that ESG reporting requirements will continue to play an important role in ensuring that the cannabis industry operates in a socially and environmentally responsible manner. So far, experience with cannabis social equity requirements provides some important lessons that wider ESG regulatory initiatives might also adopt.

Two Rabbits Outsmart an Owl
A Canadian Inuit legend

There once lived a very powerful owl who would brag to others about how smart and strong he was. One day the owl saw two rabbits playing close together and thought, “I should catch those two rabbits and my friend and I can have them for dinner.”
The owl swooped down to the ground straight for the two rabbits. He grabbed a rabbit with the talons on each foot, so that he had the two in his grasp. The rabbits were smart and strong and began to run.
The owl’s friend saw what was happening and shouted, “Let one of rabbits go, and just keep the other one!” The owl replied, “The moon will soon appear, and then we shall be hungry. We need both of them!”
The rabbits ran on. When they came to a big rock, one ran to the right side of it, while the other ran to the left side. The powerful owl was not able to let go quickly enough and was torn in two.