Our panelists included people in the field as well as the creator of Zero Trust, John Kindervag. We unpacked a lot to get back to the basics on Zero Trust, what it is, and how the definition of it has been taken and transformed over the years by the marketing and security worlds.
Trust is a human trait, not a computer trait. You can’t trust a computer.
Trust is a problem because it is a human emotion and has no business in the digital world as digital content and events have no emotion. In Star Wars, Droids weren’t let in the bar because they monitor everything and can be corrupted. This is where we are today with machines. So, how do we validate and have confidence in the humans, the resources, and the workload?
Everyone wants to spin zero trust as identity…
Vendors are talking about “enabling” zero trust, but how can you enable something that is about disabling? Even if you can verify the identity, it doesn't mean it’s trustworthy. A perfect example would be Manning and Snowden. They were trusted users on trusted devices with the right endpoint protection, up to date, and had powerful multi factor authentication BUT nobody looked at the packets post authentication. There was no question who the identities were. The exploit technique that was used was trust.
Trust is a vulnerability.
Trust is a vulnerability and also the only vulnerability that is an exploit technique at the same time. So, you don’t need to build new software to exploit trust. All you need to do is just get authenticated on the network. Even if I know for sure that it is John on the network, how do I know if he wasn’t bribed or betrayed the trust that we gave him?
You CAN build a Zero Trust Environment.
A Zero Trust strategy doesn’t have to be hard.Simplicity decreases risk, complexity increases risk. It all starts on what you are trying to protect.
Then ask yourself:
WHO is accessing that resource, through WHAT application, WHERE is it located, WHEN should they be allowed to access it, and WHY do they need access? Last but not least, HOW should we do it? And, If you can do this at a packet level, it’s even better.
It’s not just about who gets in, it’s about what you need to protect.
Assume that adversaries will eventually get in. Therefore, focus on what the most important assets you want to protect are and protect them. There is no way to find a needle in a haystack. So, instead of saying, “I am going to solve this massive problem!”, break it down into smaller chunks and fix the smaller problems. Focus on what has access to the “protect” surface and eventually what could get exfiltrated out of there.
There is no magic button to push to create a Zero Trust Environment.
That being said, there is no one size fits all either. You may have to use multiple solutions and see how they integrate with one another for the purpose of protecting the things you deem critical. Your high value assets. You know, the ones that could get people fired or hurt customers. Zero Trust starts with what info you are going to stop and block. Checkpoints and roadblocks are necessary but also annoying because it takes more time on the users’ part.
A Second Set of Eyes
It’s about accountability in whatever Zero Trust environment you create. Have someone else look at what is going on to make sure things are valid and are agreeable in the ecosystem. Similar to how it’s done in development, where we have peers review our code before publishing it.
How to Get Started Now
Zero Trust is a strategy decoupled from the technology. Zero Trust isn’t a product, it’s not about identity. You need to look at it strategically. Get people talking about it. Start from thinking about what you need to protect.
Five Step Methodology
1. Define “protect” surface.
2. Map transaction flows and know how your system works.
3. Architect it based on what you are trying to protect.
4. Create a policy so you have a granular policy statement. (Kipling Method Policy)
5. Monitor and maintain so you can reinject what you learned into logs to create an antifragile system.
Start small with some items that have low criticality to practice before you protect the crown jewels so that you have a good understanding of how you need to implement your Zero Trust environment. Practice!
Know your system and where you want to go. Make a deadline. Talk with other professionals in the field. Research and work with vendors that will work with and benefit your systems. Just get started and take it one step at a time.