Zero Trust, Be Practical to Avoid Another Hype
A Misnomer
Zero trust is a misnomer. It implies thoroughness in approach to trust, in my view, easily creating perception that zero risk can be achieved by tightening up trust everywhere. And there are articles all over the internet with the optimism that zero trust finally brings hopes to stop data breaches.
No, of coz, in the back of our minds, we all know it will not stop data breaches. The name itself renders contradiction to reality, which is the complexity that the internet world we all live in and trust is only one issue out of many. Organizations will quickly find constraints here and there where they won’t be able to achieve zero trust, let alone any technologies around zero trust will not be immune to vulnerabilities which are unfortunately inherent in internet and a major issue causing security mishaps.
I think it is very important to stress this reality, especially for companies who are seriously considering gearing up investment in security solutions toward zero trust, putting their last hope behind it.
Zero trust does not mean zero-risk. Be realistic of the complexity and constraints.
It’s Not Just the Technologies
I have long believed that organizations worldwide have invested too much in security technologies but have achieved too little. And I see a new round coming, toward zero trust. Solution providers are rushing to offer new products or pivot existing products to zero trust and organizations are jumping on the bandwagon to implement it through a myriad of zero trust solutions.
The truth is, technologies haven’t done as much good as we all had hoped. Looking back at the many years of never ending cyberattacks and data breaches, security technologies have been constantly rolled out and resorted to, yet cyberattack is worsened year after year, day after day.
True, it is hard for technology to catch on, as we extend the use of network and data to endless possibilities in a modernized world, resulting in increased attack surfaces and vectors. Hard to reckon with is we have invested tons but haven’t done a good job in managing factors that don’t really break the bank.
Significant breaches such as that of Equifax, Target, US OPM, WannaCry ransomware, etc., for which I’ll stop short of elaborating on causes but rather point to a simple fact, are not due to lack of protection from technologies but due to multitude of failures in human factors and processes, such as supply chain management, privileged access control, vulnerability and patching process, to name just a few.
In the face of countless attacks, we constantly tended to new technologies and pursued big initiatives. It is crucial for us to recognize that technologies alone do not solve problems. The same failures will reoccur in a zero trust network if we don’t tackle the challenges beyond the technologies head-on.
Zero trust is not just about technologies. Address human factors and processes.
Great Concept, Long Overdue
Don’t get me wrong, I’m by no means pessimistic about zero trust. Quite the opposite. The concept behind zero trust are fundamentals and principles. They are much needed best practices. And I think the world has waited too long for zero trust to become a mainstream.
Zero trust reminds me of the years when I was writing software. Having learned my lesson from a poorly written component with embarrassing bugs, I taught myself to become exhaustive in verifying identity for every transaction, checking all potential scenarios in application logic, capturing every possible error the code could encounter and always failing safe in an exception block. In hindsight, that was the thoroughness in developing trust in code, a zero trust principle reflected in software development.
Not to earn bragging rights but I wanted to make a point that zero trust should be taken as opportunity to apply best practice wherever possible instead of rush to invest in another big initiative. Exercising thoroughness in developing trust can be done in every layer of security, from data and applications, transactions and transmissions, to devices and networks.
Think of the possibilities: examining the firewall rules may surprise you and you could certainly find ways to tighten them up right away, before investing in a next generation firewall; the business applications you have may offer more secure authentication mechanism and turning it on would provide stricter access control timely, without a brand new identity solution; the list could go on.
Such best practice actions would greatly elevate your organization’s security posture and they do not necessarily invoke the need of a groundbreaking technology.
Zero trust is about principles and fundamentals. Do practice it wherever you can.
Be practical to avoid another hype
By far I’ve covered three practical viewpoints about zero trust
- Zero trust does not mean zero-risk. Be realistic of the complexity and constraints
- Zero trust is not just about technologies. Address human factors and processes
- Zero trust is about principles and fundamentals. Do practice it wherever you can.
Certainly, there are situations where technology update will be justified or even inevitable in aiming for zero trust. Automation and Artificial Intelligence (AI) are all creative capabilities organizations can embrace in upping their game.
