Do we trust Zero Trust?
The question itself may seem illogical to some, meaningless to others, and obvious to those of us who have worked in the cybersecurity space for some time. Please allow me to explain where I am coming from with this question. But before I do, I want to refer to the definition to avoid preaching to the choir.
So, what is Zero Trust?
Essentially, it is a model. A security model. Alternatively, you could call it an approach, framework, or architecture. Different people refer to it in different ways. I prefer the “scientific model” that Zero Trust is first and foremost a conceptual representation of a system of ideas, events, or processes.
It is also a strategy; a plan of action designed to achieve a long-term or overall aim. As with any plan, it is only as good as those who follow it.
When it comes to context, what this model and strategy tells us is that we need to eliminate implicit trust. Or as Microsoft states “never trust, always verify“. This includes and applies to everything that can be accessed and belongs to an organisation. Identities, devices, networks, infrastructure, services, code… the list goes on.
Understandably, depending on the organisation size and systems used, embracing Zero Trust can translate into many years of effort, and like any digital transformation project, there is a requirement for real time data analysis. The use of artificial intelligence and machine learning is also key to ensuring that the organisation would be able to enjoy the fruits of that costly labour. In this context, identities, devices, networks, infrastructure, and services need to be seen as data points.
The journey itself is not the end goal and a model needs to be perpetually validated
Once Zero Trust has been achieved, managing the security posture across all data points and having the equivalent operational framework to do so (aka = systems, people, processes) is important. It is crucial to transform the business into a secure environment for your employees, customers, and the intellectual property that forms the value of what you do.
Any digital transformation project that fails to communicate change, fails to embrace it.
It’s essential to communicate your masterplan to all users, keeping them informed, and not treating them like children that “don’t know any better”. Trying to address resistance to change is yet another hurdle that will meet you half way and which you need to address.
This is nonsense… I now have to go through all these hoops to do something that I could previously do in 2 minutes! – (Signed: Joe)
Understanding why people resist to security models is key to seeing whether their requirements are reasonable. It is important to optimise how you enforce a business change. There is bound to be a lack of understanding on the user end as to why it is beneficial for both the user and the business. Joe in the context above is not necessarily your “average Joe”. They can be C-level executives or even technical directors with long history of achievements in the business.
Anyone’s feedback is valuable, and dismissing it on the verge of “security comes first, this is the process and you need to follow it” is as monolithic and autocratic as it sounds.
We need to understand how our changes have impacted Joe on his day to day work before an annoyance becomes a reason for dismissal. This could be due to a virtual performance drop, or Joe quitting because he feels his voice is not heard. If the outcome of that investigation comes down to the fact that Joe doesn’t understand i.e. why he should use MFA before managing a system, we need to also explain to Joe that…
It is not Joe that we do not trust. It is someone pretending to be Joe.
Time and again when I communicated account takeover to users of a business over a project, it triggered an “Aha” moment. It may sound simple to the converted, but as a wise professor of mine (Dr. Bill Vassilakos at the University of Piraeus) once said: “There are no dumb questions. There are only questions.” And I would add to this today:
Nothing is obvious unless everyone in the room agrees it is.
Looking at the future of business through the prism of security
Recently Microsoft released a certification called “Cybersecurity Architect Expert”. One point that this certification makes is that we don’t just need more people in cybersecurity, we need those who can evolve into thinkers of the outset:
We need more people who can strategize. We need more people who would be able to see the future of a business through the prism of security.
Even though a single vendor certification by itself does not prove that an in-depth understanding and experience is in place, it can still serve as a good indicator that – at the very least – the business you choose to design your journey, has their credentials updated on what Zero Trust means as of now.
We need to overcome the demonisation of cybersecurity, and pragmaticism is how you start doing so.
Can you enforce Zero Trust in an environment that still uses Active Directory as its authoritative identity source? Yes, but it is a lot more difficult and complex than moving all those identities to Azure AD and using that as your control plane. This for instance, is one of the first discussions a cybersecurity strategist needs to have with a business that intends to embrace Zero Trust.
In this example, the business would need to understand what the Tier Model is, what the concept of a “Red Forest” was (in order to understand the reasoning behind the Tier Model), then form a plan to re-design Active Directory Domain Services (AD DS) to fit the model. This should include:
- All prerequisites which may even require operating system and forest level upgrades.
- An analysis and understanding of the medium and long term impact of changes and upgrades.
- Ensuring an operational model is in place before Tiering is enforced.
- Communication to users that they would need to use separate accounts depending on the system they want to access etc.
It’s not just about products, controls, processes, and enforcements, it is also about asking the right questions, at the right time.
In the example above a business could potentially save a lot of money and effort by taking the time to analyse whether their AD DS environment is actually necessary for what they need to achieve in the next 5 years. What is our reliance on AD DS today where we have alternatives? Do we know or do we need to understand by creating a capability matrix between that and Azure AD?
We shouldn’t take anything for granted. We need to be able to see the bigger picture at the very start of the design.
Embracing Zero Trust
A transformation project can certainly be split into phases to reduce complexity and eliminate the analysis paralysis factor. But we still need to have endgame perspective. This requires real world insight and experience, just as equally as it needs a budget from the business to support this extensive analysis.
This phase would seem like nothing is happening, but it is the difference between failing to prepare and preparing to fail.
This hits in the core of the article’s question. Do we trust Zero Trust? Or, is it something we’ve been sold into due to the hype and the threat of ransomware?
If the latter, then I would argue that your business does not need a Zero Trust model. It needs a cultural shift.
Trying to apply a Zero Trust model in your case would just mean sending money down the drain. Can you change your mindset by embracing Zero Trust? You certainly can, but be prepared for a long and painful journey. How do you reach that mindset shift? It’s not different from any agile transformation methodology, you need a plan to get you started. Then you need a plan to put the outcomes of that start into practice.
Create an ever feeding cycle of information that gets you going until all stakeholders are onboard with what needs to happen. Stakeholders need to be able to understand the change to a good – not perfect – extent, so that they can serve as advocates of that change.
Clearly if your CEO still wants a way to get their emails via Apple iOS mail app, and doesn’t want to get prompted for MFA when signing in from their holiday location. Or they want to be able to access Google Drive where they store their personal photos from their corporate device. Then here it is clear that you still have some work to do around this cultural shift which always needs to start on the top before it transcends into key workers.
Cybersecurity professionals have an ethical responsibility to drive informed decisions by triggering challenging discussions.
Challenging does not mean being difficult. It means taking the cautious approach to delivering a future that has your business values at heart.
Feel free to reach out to me if you feel this helped you in any way shape or form or just to share your own thoughts on the subject.