Sunday, January 2, 2022

The Zero Trust Framework Is Not A Product: It's A Philosophy & Mindset

 


In the world of Cybersecurity, there is no shortage of techno jargon related terms.  In fact, I would say that 2021 was probably one of the years in which this exploded, and it even came to the point where somebody even published an article on the most beaten up and over used Cybersecurity terms. 

Well, in today’s blog, I am about to bring you one of those over used terms. 

It is called the “Zero Trust Framework”, and this is a subject area in which I have written a good amount in, not just for this blog site, but in articles I have written for clients.  Generally put, the idea behind this is that you are implementing multiple layers of authentication mechanisms across your business. 

But it goes one extreme:  Absolutely nobody is to be trusted, not even those employees that have been with for the longest time.

The problem is that the Zero Trust Framework has been brought out more as an out of the box product.  It really is not.  But what it is a framework, or even a concept, that lets you increase your levels of security, depending upon the exact needs of your security requirements. 

I have to confess as well; I may even have brought this out as a product that can be deployed.

So the goal of this blog is to hopefully get rid of the line of thinking that it is a product, but rather, it is an abstract way of thinking that you can mold to fortify the lines of defenses.  How can this be done?  Here are some tips:

1)     Make into a mindset way of thinking:

Many IT Security teams do a very good job of explaining walls of defense, what has been divided and not in the IT and Network Infrastructure of your business.  They will mention about all of the security mechanisms that they have deployed, and how each layer works.  But it is important to keep in mind here that they are talking in a micro way of thinking. The Zero Trust Framework requires that you (the CISO) and your IT Security team take a holistic, or macro view of how these tools and technologies should be deployed. So in other words, rather than taking a siloed approach, go to a whiteboard and draw your IT and Network Infrastructure, then from there put in what is divided and what is not.  That will give you a much clearer idea of what is going on.  Better yet, use a diagram-based tool like Visio that will let you create this, that way you can put in the updates as they evolve without having to redraw the entire thing again.

2)     Authentication never ends:

The thinking in Corporate America today is still that the authentication and/or verification process is a one and done deal.  Meaning, once your employee’s identity has been confirmed, that’s enough.  But the truth is, is still not enough.  Although it may sound like a pain in the butt and totally inconvenient, your employee must be thoroughly authenticated for each and every piece shared resource that they want to gain access to, 24 X 7 X 365.  The key here is that each and every employee has to be treated this way, not just a select few.

3)     Give out only what is needed:

With the dawn and what it seems like the never ending COVID19 pandemic, the 99% Remote Workforce is now going to be a reality for a long time to come, if not permanently.  Because of this, many businesses are now moving everything to a Cloud based provider like that of the AWS or Microsoft Azure.  The idea here is that all of your digital assets can be accessed easier, and it will be in a safer type of environment, which will be monitored on a real time basis.  In fact, bot of these Cloud providers offer a robust set of security tools that you can start using in just a matter of minutes.  One of the things that will be easier to monitor is the kinds of privileges, rights, and permissions that your employees have been assigned, and if there has been misconfigurations made to them, whether it is intentional or not.  In this regard, you always want to keep making use of an old concept in Cybersecurity:  Establish the most minimal access rights that an employee needs in order to get their job done.  Then if they need more, the request should be evaluated and then if it is needed, then it should be assigned.  This is called the concept of “Lease Privilege”. 

4)     Make sure that everything is an optimal state:

In today’s digital environment, many if not most businesses are outsourcing some of their own processes to third party vendors in an effort to get the job done quicker.  While this many the case, keep in mind that somebody else now has access to your PII datasets, and that exposes the risk factor even more.  Because of this, you have to now take the assumption that there is always a security tool or technology that is not running efficiently to protect your digital assets.  Therefore, the Zero Trust Framework mandates that you also have to assume that nothing you deploy is working properly, and that they must constantly checked to make sure that they are running in the optimal state that you have established.  But keep in mind there are many automated tools that can do this for you, especially when it comes to using AI and ML. So, you don’t have to have an individual constantly watching over your security tools and technologies all of the time.  But what they need to be on the lookout for are the legitimate alerts and warnings that come in, and act on those quickly.

5)     Build a baseline model:

The Zero Trust Framework is not a one size fits all approach.  Meaning, what works for one company probably will not work for you.  Therefore, you the CISO, and your IT Security team, have to take careful inventory of all of your digital assets, and categorize according to them according to their particular level of risk.  This is where a comprehensive Risk Assessment comes into play.  Then from here, build up the baseline profile of what you and your team think is a threat and not, and accordingly, the appropriate alarms will then go off.  But it is also important that this baseline profile be updated on a regular basis, in order to take into account any situation changes that may occur.  Remember that creating this takes both quantitative and qualitative factors into consideration, not just one or the other.  Again, using the tools of AI and ML will be a huge boon here, as these tools can do all of this in just a matter of few minutes.

My Thoughts On This:

As I have mentioned before, the Zero Trust Framework is extreme, in that people you even trust the most now on a technical level cannot be trusted.  So now the question comes, how do you approach this when dealing with your employees and management, especially the C-Suite. 

Some may take the view that they should never be told that you are planning to deploy such a framework, in order to keep the level of friction down.

But I take the stance that honesty is the best policy here.  Always be upfront with your policy and the C-Suite.  This will always foster a better relationship in the end with everybody that is involved.  No need to keep anything secret.

But instead of using the term “Zero Trust”, perhaps a better phrasing would be “Zero Assumption”.  Just some food for thought.

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...