What Is Zero Trust Anyway?
About three minutes into planning this post, I had one of those “god, I am old” moments. Here is why I had the moment. I have worked in cybersecurity since 1994. My first job was at a Big 3 working for the U.S. government through one of the world’s largest law firms. Yes, it was complicated.
Back in those days (said in the voice of an old man,) cybersecurity wasn’t even cybersecurity. It was just security. Information security wouldn’t become a thing until the early 2000s. Networking of computers was just getting off the ground. See what I mean? I started a long time ago.
The point of this is that even back when computers were just being networked, and cybersecurity wasn’t a thing, and the position of CISO would be considered witchcraft, there was a principle in IT architecture named “Know Your Computer” (KYC) or later “Know Your Network” (KYN). This principle’s origin was from the 1990s finance industry.
Basically, to sell more products to their current clients, they would attempt to learn everything they possibly could. Remember this is at the VERY beginning of the internet. The huge databases about users and their likes, dislikes, and purchase habits after midnight were decades away.
KYC or KYN, as illustrated, are old principles that have been around for a long time. Now they have morphed into many things over the years, and today they are called Zero Trust. It would be unfair and unjust to compare the complexity and technical detail of today’s IT versus yesterday’s. On the other hand, there are lessons learned from a simpler IT time that still have value today.
KYC or KYN
They are old concepts, but the principles still are relevant in today’s IT environment. Frankly speaking, Zero Trust is the latest iteration of the KYN concept. See below:
Know what the purpose is of all devices on the network
Limit access to all devices on the network to only what they need to do to fulfill their role
Document the behavior of all the systems on the network and alert on deviations
Document the behavior of all the systems on the network and block all other actions
Document your data flows
Document your data flows and alert on changes
Create regular forums to review changes and updates to the network systems
Regularly review alerts and violations of the Zero-trust controls
I could go on, but the point seems pretty clear. Now, KYN doesn’t line up perfectly with the Zero-trust model. The threats and complexities of computer networks simply did not exist in the 1990s.
What Is Zero Trust Anyway?
We have all been in the industry for years. Even if you have been in the industry for only days, you have read, been sent emails, been called by vendors, been invited to webinars, seminars, or drum circles selling Zero Trust.
Every vendor, no matter what technology, is selling their product as the latest Zero-trust miracle cure. There have been many of the industry fads, and that is not the point of this post. This post is to explain Zero Trust and different strategies to deploy it affectively and economically.
Zero Trust is a philosophy. Simply put, do not allow anything to occur on the network that you are responsible for that you do not already know about. Like all philosophies, that is a simple thing to say, easier to understand, and hard to implement.
You may be asking, yourself “I have 5k endpoints, 40 cloud providers, 800 servers, and 600 applications. Does he expect me to swim lane all of that? He is an idiot.” I too said those words to myself regarding my first steps into Zero Trust. I too called someone an idiot.
Then I started to think about how I would answer the questions that I would be asked by some business development exec who read the words Zero Trust on the back of a magazine while flying cross country. “Quick question XXX, what is our Zero-trust Strategy? I need to understand it, so create a quick three-slide deck explaining why we are world class at it.” I started with what our crown jewels were. Others call it the High Value Asset (HVA) List. Whatever you call it, that is where you start.
Step one is documenting the Who, What, When, Where, and How the HVAs are used. This will most likely take the form of interviews with the business users. NOT the business leaders. You need to get their blessing, but the actual people using the HVA are the ones that you need to work with. Artifacts of these interviews will be computer workstation names, usernames, applications, business process documentation, and data flows.
Now that you have answered those questions, you can build a Zero-trust Strategy around that HVA. If it is not accessed remotely, then you can remove that access. If only a limited number of users need access, remove all the rest. If a limited number of computers need access, remove the rest. If the process doesn’t transfer data via email, then put in a DLP block to eliminate that data transfer mechanism. You are just building walls around the business processes.
You are not changing it, and that is a point that needs to be stressed when you work with the business. You are not going to make their day-to-day experience worse. Each time you put in the control, make sure you have alerting to changes. If you access groups for user access, then if that group membership changes, make sure you have an alerting strategy to notify both the business and cybersecurity operations of the change. Perhaps it was not expected or approved, and you have uncovered something before any damage occurs.
Your program may not have the controls in place to implement that needed control on that HVA. You have now documented your business justification for the new control. I would suspect that your program probably already has the technical capabilities to implement the needed controls.
A Zero-trust Strategy only allows you to do two things. Number one, use the new-fangled lingo to describe your efforts and needs. Number two, focus your teams’ efforts on the HVA list. Trying to deploy Zero-trust Strategies across an entire enterprise at once is a fool’s errand. Start with the most important assets in the organization first.