Thursday, September 29, 2022
Home TECH Pragmatic view of Zero Trust | Blog

Pragmatic view of Zero Trust | Blog

Traditionally, we’ve taken the approach that we trust everything on the network, everything in the enterprise, and we put our security at the edge of that limit. Pass all of our checks and you’ll be in the “trusted” group. That worked well when the opposition was unsophisticated, most end-user workstations were desktops, the number of remote users was very small, and we had all of our servers in a series of data centers that we fully or partially controlled. We were comfortable with our place in the world and the things we built. Of course, we were also asked to do more with less, and this security posture was simple and less expensive than the alternative.

From the time of Stuxnet, this began to change. Security went from being a little understood, accepted cost and a discussion in the back room to being discussed with interest in the boardrooms and in the shareholders’ meetings. Overnight, the executive level went from being able to ignore cybersecurity to having to know the company’s cyber readiness. Attacks increased and major news organizations began reporting on cyber incidents. Legislation changed to reflect this new world, and more are to come. How do we handle this new world and all its requirements?

Zero trust is that change in security. Zero Trust is a fundamental change in cybersecurity strategy. Whereas before we focused on boundary control and built all of our security around the idea of ‚Äč‚Äčinside and outside, now we need to focus on every component and every person that could be a Trojan horse. It may look legitimate enough to get past the edge, but could actually harbor a threat actor waiting to strike. Even better, your applications and infrastructure could be a time bomb waiting to go off, where the code used in those tools is exploited in a “Supply Chain” attack. Where for reasons beyond the organization they are vulnerable to an attack. Zero Trust says: “You are only trusted to perform an action, once, in one place, and the moment it changes, you are no longer trusted and must be validated again, regardless of your location, app, ID user, etc.” Zero Trust is exactly what it says, “I trust nothing, so I validate everything.”

That’s a neat theory, but what does that mean in practice? We need to restrict users to the absolute minimum required access to networks that have a strict set of ACLs, to applications that can only communicate with things they are meant to communicate with, to devices that are segmented to the point where they think they are alone in private networks. while being dynamic enough to change their sphere of trust as the organization evolves, while still allowing management of those devices. The overall goal is to reduce the “blast radius” that any compromise would allow in the organization, as it is not a question of “if” but “when” for a cyber attack.

So if my philosophy changes from “I know and trust it” to “I can’t believe that’s what it says it is”, what can I do? Especially when you consider that I didn’t get 5x the budget to deal with 5x the complexity. I look at the market. good news. All security vendors now tell me how they solve Zero Trust with their tool, platform, service, something new and shiny. So I ask questions. It seems to me that they really only solve it according to marketing. Why? Because Zero Trust is difficult. It is very difficult. Complex, it requires organization-wide changes, not just tools, but the entire trifecta of people, processes, and technology, and it’s not limited to my tech team, but the entire organization, not just one region, but globally. its alot

However, all is not lost, because Zero Trust is not a fixed result, it is a philosophy. It is not a tool, not an audit, not a process. I can’t buy it, nor can I certify it (no matter what people who sell things say). So that shows hope. Also, I always remember the truth; “Perfection is the enemy of Progress”, and I realize that I can move the needle.

So I take a pragmatic view of security, through the lens of Zero Trust. I do not intend to do everything at once. Instead, I look at what I am capable of and where I have existing skills. How is my organization designed? Am I a hub where I have a central organization with shared services and largely independent business units? Maybe you have a mesh where BUs spread out to where we organically integrate and staff as we go through years of mergers and acquisitions, maybe we’re fully integrated as one organization with one standard for everything. Maybe it’s not one of those.

I start by considering my capabilities and mapping my current state. Where does my organization fit in the NIST security framework model? Where do I think I could go with my current staff? Who do I have in my partner organization who can help me? Once I know where I am, then I fork my focus.

A fork is a fruit within easy reach that can be resolved in the short term. Can I add some firewall rules to better restrict the VLANs that don’t need to communicate? Can I audit user accounts and make sure we’re following best practices for organizing and assigning permissions? Does MFA exist and can I expand its use or implement it for some critical systems?

My second fork is to develop an ecosystem of talent, organized around a security-focused operating model, also known as my long-term plan. DevOps becomes SecDevOps, where security is built in and comes first. My partners become more integrated and I seek out and acquire relationships with new partners to fill my gaps. My teams are reorganized to support security by design AND practice. And I develop a training plan that includes the same focus on what we can do today (lunch and partner learning) with a long-term strategy (which may be upskilling my people with certifications).

This is the phase where we start looking for a tool rationalization project. What are my existing tools not working as needed in the new Zero Trust world? They will likely need to be replaced soon. What tools do I have that work well enough, but will need to be replaced at the end of the contract? What tools do I have that we will retain?

Finally, where do we see the big, hard rocks that are placed in our path? It is a fact that our networks will need to be redesigned and will need to be designed with automation in mind, because rules, ACLs and VLANs will be much more complex than before and changes will occur at a much faster rate than before. . Automation is the only way this will work. The best part is that modern automation is self-documenting.

The wonderful thing about being pragmatic is that we can make positive change, have a long-term goal in mind that we can all align on, focus on what we can change, while building for the future. All wrapped up in a communications layer for executive leadership and an evolving strategy for the board. Eat the elephant one bite at a time.

RELATED ARTICLES

Google will make search and maps more ‘immersive’

Google's search engine looks a bit different these days. Results pages are now often filled with shopping articles, maps, news articles, newsletters and...

The sustainable future of food must bring everyone to the table

As we can feed the world sustainably? Right now, 325 million people are acutely hungry. 35 million Americans don't know where their...

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -

Most Popular

Queen Margrethe of Denmark withdraws the royal titles of her grandchildren

Changes are underway within the Danish royal family. On September 28, the royal palace announced that Queen Margrethe II of Denmark decided to take...

How accurate is Monster: The Jeffrey Dahmer Story?

Netflix has produced its fair share of true crime dramas over the years, but nothing has been as chilling as "Monster: The Jeffrey Dahmer...

Kid Cudi’s ‘Burrow’ track earns reaction from Bengals quarterback

Kid Cudi prepares for the release of his next album entergalactic, whose tracklist has just been revealed. The closing song is titled "Burrow,"...