What Is Zero Trust Anyway?
About three minutes into planning this post, I had one of those "god, I am old" moments. Here is why I had the moment. I have worked in cybersecurity since 1994. My first job was at a Big 3 working for the U.S. government through one of the world's largest law firms. Yes, it was complicated.
Back in those days (said in the voice of an old man,) cybersecurity wasn't even cybersecurity. It was just security. Information security wouldn't become a thing until the early 2000s. Networking of computers was just getting off the ground. See what I mean? I started a long time ago.
The point of this is that even back when computers were just being networked, and cybersecurity wasn't a thing, and the position of CISO would be considered witchcraft, there was a principle in IT architecture named "Know Your Computer" (KYC) or later "Know Your Network" (KYN). This principle's origin was from the 1990s finance industry.
Basically, to sell more products to their current clients, they would attempt to learn everything they possibly could. Remember this is at the VERY beginning of the internet. The huge databases about users and their likes, dislikes, and purchase habits after midnight were decades away.
KYC or KYN, as illustrated, are old principles that have been around for a long time. Now they have morphed into many things over the years, and today they are called Zero Trust. It would be unfair and unjust to compare the complexity and technical detail of today's IT versus yesterday's. On the other hand, there are lessons learned from a simpler IT time that still have value today.
KYC or KYN
They are old concepts, but the principles still are relevant in today's IT environment. Frankly speaking, Zero Trust is the latest iteration of the KYN concept. See below:
|
KYN |
Zero Trust |
|
Know what the purpose is of all devices on the network |
Limit access to all devices on the network to only what they need to do to fulfill their role |
|
Document the behavior of all the systems on the network and alert on deviations |
Document the behavior of all the systems on the network and block all other actions |
|
Document your data flows |
Document your data flows and alert on changes |
|
Create regular forums to review changes and updates to the network systems |
Regularly review alerts and violations of the Zero-trust controls |
I could go on, but the point seems pretty clear. Now, KYN doesn't line up perfectly with the Zero-trust model. The threats and complexities of computer networks simply did not exist in the 1990s.
What Is Zero Trust Anyway?
We have all been in the industry for years. Even if you have been in the industry for only days, you have read, been sent emails, been called by vendors, been invited to webinars, seminars, or drum circles selling Zero Trust.
Every vendor, no matter what technology, is selling their product as the latest Zero-trust miracle cure. There have been many of the industry fads, and that is not the point of this post. This post is to explain Zero Trust and different strategies to deploy it affectively and economically.
Zero Trust is a philosophy. Simply put, do not allow anything to occur on the network that you are responsible for that you do not already know about. Like all philosophies, that is a simple thing to say, easier to understand, and hard to implement.
You may be asking, yourself "I have 5k endpoints, 40 cloud providers, 800 servers, and 600 applications. Does he expect me to swim lane all of that? He is an idiot." I too said those words to myself regarding my first steps into Zero Trust. I too called someone an idiot.
Then I started to think about how I would answer the questions that I would be asked by some business development exec who read the words Zero Trust on the back of a magazine while flying cross country. "Quick question XXX, what is our Zero-trust Strategy? I need to understand it, so create a quick three-slide deck explaining why we are world class at it." I started with what our crown jewels were. Others call it the High Value Asset (HVA) List. Whatever you call it, that is where you start.
Step one is documenting the Who, What, When, Where, and How the HVAs are used. This will most likely take the form of interviews with the business users. NOT the business leaders. You need to get their blessing, but the actual people using the HVA are the ones that you need to work with. Artifacts of these interviews will be computer workstation names, usernames, applications, business process documentation, and data flows.
Now that you have answered those questions, you can build a Zero-trust Strategy around that HVA. If it is not accessed remotely, then you can remove that access. If only a limited number of users need access, remove all the rest. If a limited number of computers need access, remove the rest. If the process doesn't transfer data via email, then put in a DLP block to eliminate that data transfer mechanism. You are just building walls around the business processes.
You are not changing it, and that is a point that needs to be stressed when you work with the business. You are not going to make their day-to-day experience worse. Each time you put in the control, make sure you have alerting to changes. If you access groups for user access, then if that group membership changes, make sure you have an alerting strategy to notify both the business and cybersecurity operations of the change. Perhaps it was not expected or approved, and you have uncovered something before any damage occurs.
Your program may not have the controls in place to implement that needed control on that HVA. You have now documented your business justification for the new control. I would suspect that your program probably already has the technical capabilities to implement the needed controls.
A Zero-trust Strategy only allows you to do two things. Number one, use the new-fangled lingo to describe your efforts and needs. Number two, focus your teams' efforts on the HVA list. Trying to deploy Zero-trust Strategies across an entire enterprise at once is a fool's errand. Start with the most important assets in the organization first.
Frequently Asked Questions
Cybersecurity Risk Management is a strategic approach used by organizations to identify, assess, and prioritize potential threats to their digital assets, such as hardware, systems, customer data, and intellectual property. It involves conducting a risk assessment to identify the most significant threats and creating a plan to address them, which may include preventive measures like firewalls and antivirus software. This process also requires regular monitoring and updating to account for new threats and organizational changes. The ultimate goal of Cybersecurity Risk Management is to safeguard the organization's information assets, reputation, and legal standing, making it a crucial component of any organization's overall risk management strategy.
The key components of a Cybersecurity Risk Management program include risk identification, risk assessment, risk mitigation, and continuous monitoring. It also involves developing a cybersecurity policy, implementing security controls, and conducting regular audits and reviews.
Organizations can mitigate cybersecurity risks through several strategies. These include implementing strong access control measures like robust passwords and multi-factor authentication, regularly updating and patching systems to fix known vulnerabilities, and conducting employee training to recognize potential threats. The use of security software, such as antivirus and anti-malware programs, can help detect and eliminate threats, while regular data backups can mitigate damage from data breaches or ransomware attacks. Having an incident response plan can minimize damage during a cybersecurity incident, and regular risk assessments can identify and address potential vulnerabilities. Lastly, compliance with industry standards and regulations, such as the Cybersecurity Maturity Model Certification (CMMC) and National Institute of Standards and Technology (NIST) standards, can further help organizations mitigate cybersecurity risks.
A risk assessment is a crucial part of Cybersecurity Risk Management. It involves identifying potential threats and vulnerabilities, assessing the potential impact and likelihood of these risks, and prioritizing them based on their severity. This helps in developing effective strategies to mitigate these risks.
Continuous monitoring is a vital component of Cybersecurity Risk Management, providing real-time observation and analysis of system components to detect security anomalies. This enables immediate threat detection and response, helping to prevent or minimize damage. It also ensures compliance with cybersecurity standards and regulations, allowing organizations to quickly address any areas of non-compliance. By tracking system performance, continuous monitoring aids in identifying potential vulnerabilities, while the data gathered informs decision-making processes about resource allocation, risk management strategies, and security controls.
Additional Resources