As we entered 2023, we were bracing for the increase in cyber attacks to continue to grow. We are still bracing because they are still growing! In their Tech Trends 2023, Info-Tech Research Group advised CIOs, CISOs, and IT leaders to put high effort into zero-trust security. The principal author of the report, Brian Jackson, was so passionate about the recommendation it sent me in search of an expert to be a guest on the podcast I host, Status Go.
Through the search, I discovered the book, “The Zero Trust Project,” and reached out to the author, George Finney. Mr. Finney is the CISO of Southern Methodist University and the author of several books on cybersecurity. I recently sat down with him to discuss his book and zero-trust security. What follows are the highlights of his remarks. If you’d like to listen to the full interview, check out the Status Go podcast, episode 206: “Zero Trust as a Strategy.”
The Zero Trust Project
For those in software development, operations, or DevOps, you are undoubtedly familiar with the book “The Phoenix Project.” Finney uses the same literary technique in “The Zero Trust Project.” Through a fictional story, he guides the reader through the principles of zero trust security. In the book, Dylan, the new IT Director for March Fitness, wakes up on his first day to learn the company has fallen victim to a ransomware attack. In the days and weeks that follow, Dylan learns about Zero Trust, and therefore, so do we.
What is Zero Trust, Anyway?
At its core, Zero Trust is a strategy for digital security that operates under the assumption that every user, every device, and every connection is potentially insecure, and therefore no one should be trusted by default. In other words, Trust is a Vulnerability! This may sound extreme, but in today’s digital landscape, where cyber-criminals are becoming more sophisticated, it’s a necessary measure.
Zero Trust does not rely on traditional security measures like firewalls, VPNs, or passwords. Instead, it focuses on “protect surfaces” (think critical services and applications) and controlling access to them with policies, permissions, and monitoring, all customized to the specific protect surface. This is accomplished by mapping transaction flows, identifying trust boundaries, and assigning granular permissions for both users and devices.
What are the Benefits of Zero Trust?
The main benefit of Zero Trust is that it makes businesses more secure and, therefore, more resilient to cyberattacks. Traditional security measures such as firewalls and passwords are no longer sufficient for endpoint protection. Cyber-criminals are getting smarter, and the threats they pose are getting more sophisticated. Therefore, businesses need a comprehensive security solution that can protect against even the most advanced cyber-crime tactics.
Another benefit of Zero Trust is that it takes a more holistic approach to security. Instead of just protecting the perimeter, Zero Trust treats security as an ongoing process that requires careful planning, monitoring, and adaptation. These measures include securing the internal network.
Finally, another significant benefit of Zero Trust is that it can help organizations comply with industry regulations such as HIPAA, PCI DSS, and GDPR. This is because Zero Trust requires businesses to identify and secure their most critical data and operations, which are typically subject to industry-specific regulations.
How Can Zero Trust be Implemented?
The Zero Trust concept is not limited to any specific technology, methodology, or product. Instead, it’s a way of thinking about security that can be applied to any organization. Finney describes a four-step process for implementing a Zero Trust strategy.
Define Protect Surfaces: The first step in implementing Zero Trust is identifying protect surfaces, such as critical services or applications, that need to be protected. This involves mapping transaction flows to understand how data is used and shared across critical applications.
Map Trust Boundaries: The next step is understanding the trust boundaries of protect surfaces. Understanding the trust boundaries helps identify potential attack vectors and informs policy decisions.
Assign Policies and Permissions: Based on a detailed understanding of protect surfaces and trust boundaries, customized policies and permissions can be created for both users and devices. Finney introduces us to the “Kipling Method,” yes, that Kipling, the poet from a hundred years ago.
“I keep six honest serving men, They taught me all I knew;
Their names are What and Why and When, And How and Where and Who..”
In this “Kipling Method,” every group and every discipline is represented as you review each protect surface and ask the who, what, what, where, why, and how to develop the policies needed to protect the service or the application.
Monitor and Maintain: Zero Trust is an iterative process that requires continuous monitoring and maintenance of policies and permissions.
Finney cautions that for those companies that use a 3rd party SOC, the outsourced security providers must have skin in the game to guarantee effective feedback loops.
Challenges of Implementing Zero Trust
The biggest challenge of implementing Zero Trust is the required cultural shift. The idea of treating all user access as potentially insecure can be a difficult pill to swallow for some organizations. However, education is key. Help employees understand that they are part of the solution and not the problem. This requires a cultural shift that values cybersecurity across the organization and behind every project.
Finney challenges all organizations to stop saying that “the human is the weakest link.” This conveys the wrong message to those you must enlist in your cyber security program in order for it to be successful. He suggests using “humans are the ONLY link.” In other words, we have to partner with each other, AND we have to partner with the technology we are using.
Another challenge of implementing Zero Trust is the technical complexity involved when mapping trust boundaries, transaction flows, and developing policies. Organizations with limited in-house cybersecurity personnel will need to rely on third-party experts for implementation.
Zero Trust is a Strategy, not a Tool
Zero Trust is not a product or tool that can be bought out of a box. Instead, it is a framework that relies on repeatable methodology, customization, and ongoing maintenance. But despite these challenges, Zero Trust is a vital strategy in the increasingly complex world of online business operations.
By building Zero Trust into their organizational processes, businesses can better protect themselves from the vulnerabilities that lead to cyberattacks. It’s no longer just about protecting your perimeter: Zero Trust represents a new way of thinking about cybersecurity, where security is a continuous process that is continually monitored and where every employee is a team member.
Remember: Zero Trust is not a destination but a journey. It’s an iterative process that requires continuous education, experimentation, and adaptation. Despite the complexities of implementing a Zero Trust strategy, enterprises can realize a significant payoff by taking this proactive, inside-out approach to cybersecurity.
Tag/s:Business TransformationDigital EnterprisePodcastSecurity
Trackbacks/Pingbacks