Traditionally, our approach has been to trust everything in the network, in the enterprise, and place our security at the edge of the perimeter. By passing all our checks, you belong to the “Trusted” group. This approach works well when the opposition is not complex, most end user workstations are desktops, the number of remote users is very small, and we have all our servers in a series of data centers that we fully or partially control it is good. We are happy with where we are in the world and what we build. Of course, we are also asked to do more with less, and this security posture is simpler and less costly than other alternatives.
Starting with Stuxnet, this is starting to change. Security has gone from a little-known, acceptable cost and behind-the-scenes discussion to one that gets noticed at board and shareholder meetings. Overnight, executives went from knowing nothing about cybersecurity to having to understand what the company does with the network. Attacks increased, and major news organizations began reporting on cyber incidents. Legislation has changed to reflect this new world, and more to come. How do we deal with this new world and all its demands?
Zero Trust is a change in security. Zero trust is a fundamental change in cybersecurity strategy. Before we can focus on perimeter control and build all security around the concept of inside and outside, now we need to focus on every component and every potential trojan horse. It may appear legitimate enough to pass through the border, but in reality it may be hosting a threat actor waiting to be attacked. Even better, your applications and infrastructure may be a ticking time bomb waiting to be detonated, and the code used in these tools is exploited in “supply chain” attacks. They are vulnerable to attacks through no fault of the organization. Zero Trust says – “You are trusted to take one action in one place, once, in one place, and once it changes, you are no longer trusted and must be verified again, regardless of your location, application, user ID, etc. how”. Zero trust is exactly what it says, “I don’t trust anything, so I verify everything”.
This is a neat theory, but what does it mean in practice? We need to limit users to the absolute minimum access to networks with a strict ACL series, to applications that can only communicate with the things they have to communicate with, to devices that are segmented to what they think are separate on the private network devices, while being dynamic enough to change their trust horizons as the organization grows, and still be able to manage those devices. The overall goal is to reduce the “explosion radius” allowed for any compromise in an organization, as a cyber attack is not a matter of “if” but “when.”
So what should I do if my philosophy goes from “I know and believe it” to “I can’t believe this is what it says it is”? Especially when I consider that I don’t get 5x the budget to handle 5x more complexity. I watch the market. good news! Now, every security vendor is telling me how they use their tools, platforms, services, and new shiny things to solve zero trust. So I ask questions. In my opinion, they’re just really addressing it based on marketing. Why? Because zero trust is hard. This is very difficult. Complex, it requires change across the organization, not just the tools, but the trio of people, process and technology, not just my tech team, but the entire organization, not just one region, but globally. a lot of.
Nonetheless, nothing is lost because zero trust is not a fixed outcome, but a philosophy. It is not a tool, nor is it an audit or process. I can’t buy it and I can’t prove it (no matter what the seller says). So this shows hope. Also, I always remember this cliché; “perfection is the enemy of progress”, and I realized that I could move the needle.
So I take a pragmatic view of security through the lens of zero trust. I’m not going to do it all at once. Instead, I look at what I can do and where my existing skills lie. How is my organization designed, am I a hub and spoke, my core organization with shared services and mostly independent business units? Maybe I have a grid with BUs spread out where we are organically integrated and staffed through years of mergers and acquisitions, maybe we are fully integrated as an organization and have one standard for everything. Maybe none of these.
I first consider my abilities and map my current state. Where is my organization on the NIST Security Framework model? Where do I think my current employees can go? Who in my partner organization can help me? Once I know where I am, I fork my attention.
A fork is a low hanging fruit that can be resolved in the short term. Can I add some firewall rules to better restrict VLANs that don’t need traffic? Can I audit user accounts and ensure we follow organizational and permission assignment best practices? Does MFA exist, can I expand its use, or use it for some critical systems?
My second branch is developing a talent ecosystem organized around a security-focused operating model, also known as my long-term plan. DevOps becomes SecDevOps, security is integrated first. My partners have become more integrated and I seek out and gain relationships with new partners who fill my void. My team was restructured to support security by design and practice. I developed a training plan that included an equal focus on what we can do today (partner lunch and learn) and long-term strategy (which might lead to certification for my staff).
This is the stage where we start our research tool rationalization project. My existing tools are not performing as needed in the new Zero Trust world and these may need to be replaced in the short term. Which tools do I have that work well but need to be replaced when the contract ends. What tools do I have to keep.
Finally, where do we see big, hard rocks blocking our way? There is no doubt that our network needs to be redesigned and needs to be designed with automation in mind as rules, ACLs and VLANs will be much more complex and changes will happen much faster than before. Automation is the only way Methods. The best part is that modern automation is self-documenting.
The beauty of being pragmatic is that we can make positive changes, have a long-term goal in mind that we can all align with, focus on what we can change, and at the same time for future development. All of this is contained within the executive leadership’s communications layer, as well as the board’s evolving strategy. Eat an elephant one bite at a time.