Latest from Network Reliability/Testing & Assurance/Cybersecurity/Safety
OSP Engineering
The Hidden Power of Zero Trust Thinking
Daytime Stress and Sleepless Nights
Managing cybersecurity, networks, workloads, and websites can be stressful especially when many things go bump simultaneously in the middle of the night. During calmer daytime moments, we rationalize decisions, selecting the right defensive or application architecture, analyzing problems, balancing business and technical requirements, based on logical thinking.
Reality Check
However, when we think we are making logical choices based on facts, brain science tells us that we are actually making emotional decisions. These are based on what will cause us less stress or risk to our reputation or company. Receiving praise for meeting personal performance indicators is important—or maybe we just like the person selling us something.
After that, we look for reasons to justify such decisions based on logic, showing off our smart thinking to look good and be admired. So, what has this got to do with Zero Trust?
Zero Trust: Principles, Methodology, and Implementation
For those not fluent in the term coined by John Kindervag, creator of Zero Trust methodology, here’s my quick overview of the principles and methodologies:
- Two Principles. The first: Assume a Breach has already happened. It’s the second: “Never Trust, Always Verify” that really shifts your thinking and empowers you—and it’s what this article is all about.
- Methodology. Define your security policy of what to protect, curating and testing the resilience of your assets. Then, know the flow of data and what to monitor. Repeat to keep strengthening potential vulnerabilities in the many physical, organizational, and technical processes.
- Implementation. The “how” and “where” is pretty straightforward, consisting of Identity Management, Authentication, Access Control, Least Privilege, Policy Enforcement in many locations and processes, Automated Monitoring and Micro-segmentation. It’s a big topic and you should be skeptical of “Complete Zero Trust Solutions.”
Why Does Zero Trust Empower Your Thinking?
So, why does “Never Trust, Always Verify” and the technical aspects of cybersecurity empower your decision-making? It's only when you look at the impact and value of verification on your decision-making that you see how it influences clear, stress-free decision-making.
1. Commitment
"Always Verify" Implies "Trust" Implies
A Commitment to Being Secure An Expectation That It's Secure
When you trust somebody or something you do so with an expectation it's all going to work out just fine. However, expectation is dangerous. When things don't work out, you either blame yourself or somebody else for the result not being what you wanted or expected. When you verify, you are implementing your commitment that the processes, the software, the devices, and the people you train will be secure. Clearly there are no guarantees with security, but if things don't work perfectly, instead of being upset, you are left with your commitment to keep verifying. It's all part of the journey.
2. Delegation
"Always Verify" Implies "Trust" Implies
Managed Delegation of Responsibility Abdication of Responsibility
Only when your HR department, your service provider, software supplier, CPA firm, your physical security company, etc., verify in writing that what they have delivered is secure, are you truly delegating not abdicating your responsibility. This makes a huge difference to how you operate your security. I have further developed this since my ISE article last August (cybyr.com/delegation) to show all the steps for providers and software companies to self-verify their products and services.
3. Integrity and Control
"Always Verify" Implies "Trust" Implies
Integrity Sense of Incompleteness
Empowering and Proactive Disempowered, Passive
If you just trust your own internal departments or a third party, then you are left with a sense of being incomplete. This is why verification gives you a sense of integrity or, expressed another way, you are whole and complete—and not stressed.
Deploying unverified software can be very passive and is the source of many catastrophic attacks. You are just not in control yet still liable for any consequences. Properly delegating and verifying supply chains’ internal processes is both empowering and proactive. This is why Zero Trust aligns closely with how you can take an executive responsibility in your organization, helping you contribute and add value to your organization in a new way.
4. Protection, Conformance, and Competitive Positioning
"Always Verify" Implies "Trust" Implies
Measurable Written Protection Uncertain Liability, Accountability
Competitive Positioning Cost Center
Verification also provides written, measurable protection that is an essential element of the SEC's requirements to show that you have proper processes in place. It works to the benefit of your organization and your suppliers, effectively creating a paper trail that can be included in your website’s terms and policy statements.
All of this is not just to ward off stress and uncertainty. This whole ethos can not only be used to enhance your competitive position to those who do not adopt it, but also to create your organization as a leader in protection of your business clients and end-user customers. This transforms adoption of Zero Trust from pure defense into a difference-making competitive advantage.
5. Continuous Monitoring
"Always Verify" Implies "Trust" Implies
Continuous Monitoring and Auditing One-Time Monitoring
Verification is not a one off—which is why I prefer my version of the mantra “Never Trust, Continually Verify” to the original. What or who was authenticated five minutes ago may now be out of policy. This is why continuous monitoring and notification is another important strengthening of defensive links. This is, after all, why it’s never over.
Final Word
Hopefully as you've read this, you can see why Zero Trust creates clear thinking to reduce the stress and acknowledges the emotional aspects of your technical and business decisions. If you do get it, then I advise taking a deep breath, putting a smile on your face, and getting back to enjoying your job!
Find out how to put all of this into action and more at cybyr.com.
Mark Fishburn | Provider of Strategic Network, Cybersecurity and Marketing Services
Mark Fishburn | Provider of Strategic Network, Cybersecurity and Marketing Services.
Mark is CEO of cybyr.com and has five decades of experience in software, networking, and security. He is a member of ONUG, MEF and CSA network and security working Groups, CISA contributor and publisher of the Holistic Cybersecurity book: Hey Who Left The Back Door Open? For more information, or to give feedback, email [email protected] or follow him on LinkedIn.