When you consider the tremendous financial losses caused by cybercrime and personalize it by thinking about your own business and how you feel about anyone trying to compromise it, suddenly zero-trust stops sounding so paranoid. A discussion of the real implications of the proper application of a zero-trust approach.
“Just because you’re paranoid doesn’t mean they aren’t after you!”
That statement is attributed to Catch-22 author Joseph Heller, though it seems it only appeared in the screenplay by Buck Henry.
The point is worth thinking about when talking about zero-trust. Some of your customers may feel that sounds too paranoid. Good time to haul out Heller’s comment. You might also point out that security professionals basically must be paranoid by nature to be effective!
Merriam-Webster defines paranoid as “characterized by suspiciousness, persecutory trends, or megalomania” and “extremely fearful.”
When it comes to high-value business data assets, there’s really nothing wrong at all with being suspicious and fearful. We’ll leave megalomania for another day.
It’s Not About You
Former Forrester analyst John Kindervag wrote the original definitions and descriptions of a zero-trust approach to data and network security.
In an article in the Wall Street Journal’s CIO Journal, Kindervag explains, “I became fascinated by how people and businesses anthropomorphized their digital environments by applying the concept of trust to computing—that somehow a device could be trusted and that it cared that it was trusted.”
He continues, adding, “Back then, many CISOs and CIOs adhered to the idea that what’s inside the corporate firewall can be trusted. This concept of inside versus outside became a variable that was used to determine security policy.”
Then, Kindervag emphasizes why there’s nothing paranoid about trusting nothing, saying, “But trust applies only to people—not digital environments. Identity credentials can be stolen, networks can be hacked, and insiders with bad intent are often in positions of trust. This means it’s impossible to know with certainty that the originator of network traffic can truly be trusted: An asserted identity is only an assertion, not an actual person.”
Kindervag advises eliminating the concept of trust from cybersecurity strategy completely and going through five steps to build a Zero-Trust network:
>> Define Your Protect Surface: What do you need to protect?
>> Map the Transaction Flows: How does the system work together?
>> Architect the Environment: Place the controls as close as possible to the Protect Surface so that you can define a micro-perimeter
>> Create the Zero Trust Policy(by using the Kipling Method, i.e. by answering the who, what, when, where, why and how of your network and policies)
>> Monitor and Maintain the Environment: Gather telemetry, perform machine learning and analytics, and automate responses in policy
In his 2016 Forrester report, “No More Chewy Centers: The Zero Trust Model Of Information Security,” Kindervag informs us, “There’s an old saying in information security: “We want our network to be like an M&M, with a hard crunchy outside and a soft chewy center.” For today’s digital business, this perimeter-based security model is ineffective against malicious insiders and targeted attacks. Security and risk (S&R) pros must eliminate the soft chewy center and make security ubiquitous throughout the digital business ecosystem — not just at the perimeter.”
For today’s digital business, this perimeter-based security model is ineffective against malicious insiders and targeted attacks.
This explains perfectly why the common assumption that anything inside the network perimeter can be trusted no longer holds, especially when you consider the many estimates that say more than half of network exploits come from inside the firewall, not out. Combined with Kindervag’s explanation that, “Identity credentials can be stolen, networks can be hacked, and insiders with bad intent are often in positions of trust” it becomes obvious that classic perimeter defenses are insufficient. Security needs to focus on identity rather than the perimeter, as Zero-Trust does.
The Case for Anticipating the Worst
So, Zero-Trust suggests that we always anticipate the worst from everything and everyone.
So, what’s wrong with that?
First of all, if you trust nobody and nothing, you’re not discriminating against anyone. You’re an equal opportunity objector.
Also, many consider having to prove their identity a compliment. Evidence the adult man or woman who gets “proofed” when entering a bar. They are asked to prove they’re over 18, and that can only make them smile!
Ask yourself, would you leave your home, your office, or your vault closed but not locked? You can’t trust that nobody will enter while you’re away. You’re practicing zero-trust!
In the final analysis, zero-trust, expecting the worst, is the best position to take. If things turn out great, you’ll be pleasantly surprised. If you’re right and things go wrong as you anticipated, at least you won’t be disappointed.
About the author
Senior Resultant Howard M. Cohen is a 35+ year executive veteran of the Information Technology industry, an authorized CompTIA instructor, and a regular contributor to many IT industry publications. After 35 years as an IT industry executive, Howard has been writing for and about the channel since 2009.
He has served on many vendor advisory panels including the Apple, Compaq, HP, IBM, and NEC Service Advisory Councils. He has also served on the Ingram Micro Service Network board and as a U.S. Board member of the International Association of Microsoft Channel Partners.
Howard is a well-known frequent speaker at IT industry events including Microsoft’s Worldwide Partner Conference (now Inspire), Citrix Synergy/Summit, ConnectWise IT Nation, ChannelPro Forums, Cloud Partners Summit, MicroCorp One-On-One, and CompTIA ChannelCon.
Howard refers to himself as a “Senior Resultant” because he has always understood that we are all measured only by our results. Connect with Howard at email@example.com and review his portfolio at www.authory.com/howardmcohen.