Zero Trust: Sounds Good, But…
Almost every cybersecurity solution vendor likely has the words “zero trust” somewhere on its website, in its marketing collateral, or both. And the term basically means what it says. You should craft your cybersecurity strategy and your networks in ways that assume you can’t trust anyone or anything.
Of course, locking everyone and everything out of the network is a non-starter. The alternative path to zero trust means that nothing and no one gets connected to the network without being challenged and validated somehow. Even those devices and people comfortably ensconced within the corporate perimeter.
Zero Trust: Three Big Challenges
Sounds simple enough. However, at least three challenges complicate the lives of everyone seeking to adopt a zero-trust approach to cybersecurity – the Internet of Things (IoT), the cloud, and your users.
- The IoT – many IoT devices were not designed with enterprise-class cybersecurity in mind. Some have limited or no built-in security features. Some even lack passwords. And just because you avoid buying devices without at least password protection, and forbid such devices from your networks, doesn’t mean there aren’t or won’t ever be any there.
- The cloud – cloud-based services and resources require multiple layers and levels of cybersecurity, especially were public cloud connections are concerned. And that means a need for nearly constant scrutiny of those cloud services and the companies that offer them. As anyone who owns a laptop knows, security updates are issued frequently, and many vulnerabilities result from less-than-timely installation of those updates.
- Your users – as your computing and network resources evolve, it is essential to keep users engaged and informed about their roles in keeping those resources secure. Users and their devices can be the weakest links in your networks. They can also be a highly effective first line of defense. The difference often has as much to do with how well users are engaged by those responsible for managing their networks and cybersecurity.
Zero Trust Best Practices
When I was employed at Huawei USA, I got to work with Andy Purdy. He is the Chief Security Officer at Huawei USA. He is also former Acting Director of the National Cybersecurity Division of the U.S. Department of Homeland Security. He is perhaps the smartest cybersecurity expert I’ve gotten to work with directly. He also holds a law degree, but I don’t hold that against him.
I’ve come up with a single, simple approach you should take to all of your cybersecurity solution decisions, especially those that involve vendor claims. It’s a variant on an approach I first heard from Andy. That approach is literally as simple as “A, B, C.”
- Assume nothing.
- Believe no one.
- Confirm everything.
You must select, deploy, and manage all elements of your cybersecurity infrastructure with this approach in mind. And you must reject inclusion of any elements for which you cannot credibly any claimed features or benefits.
As you choose and deploy solutions that meet these criteria, your security technologies, practices, processes, and related storytelling must be:
- Automated – because humans simply can’t keep up with network growth or cybersecurity threats with manual tools and processes alone.
- Bespoke – because deployment and integration of your chosen solutions must be custom-tailored for your organization’s business needs and its particular users. As must how you document those solutions and the processes that govern them. (At the very least, avoid the passive voice and use more personal pronouns.)
- Clear – explain what you do and why you do it, in terms focused on your users, not your technologies or your business goals. Treat your users less as your most challenging vulnerabilities and more like members of your first line of defense. Instill in them a sense of value associated with their cybersecurity-related efforts and actions. Get them on your side. Clearly, credibly, and consistently.
One more alphabetic suggestion. Throughout your cybersecurity journey, Always Be Communicating. Make sure your users and your bosses know what you’re doing, what they should be doing, and why.
That Help I Mentioned
From March 23 through March 26, you will have a chance to see which vendors can cash the checks their mouths are writing about zero trust. The Zero Trust Demo Forum will hold several vendors’ feet to the fire, under the watchful eyes of some of my favorite cybersecurity people. They include Dr. Chase Cunningham of Forrester, Dr. Anton Chuvakin, who is helping to build the security strategy for Google Cloud, and cybersecurity expert, analyst, and author Richard Stiennon.
Richard and Chase are featured in an 11-minute video preview of the event on Vimeo. More than two dozen vendors are slated to participate. You can find more information and register for the event at The Demo Forum website. I think it will definitely be worth your time and attention.