Every security vendor right now:
Vendor: “Hey CISO, have you checked out our new Zero Trust solution? It’s all you’ll ever need!”
CISO: “Wow, you have a new solution that aligns with that Zero Trust concept where you don’t trust anything?”
Vendor: “Hell yeah, it’s the shizzle!”
CISO: “So does that mean we can’t even trust your product?”
Vendors: “Oh no no no, you can 100% trust our Zero Trust solution!”
There's a huge amount of hype concerning Zero Trust and most of what I read can be attributed to marketing buzzwords and bandwagon jumping. Fundamentally, the principles that underpin the concept of Zero Trust are sound, but vendors seem to be riding yet another wave of FUD (fear, uncertainty and doubt), this time driven by the pandemic and the rapid move to a very distributed workforce.
Zero Trust is not a new concept, it’s been around since 2013 when John Kindervag coined the term when he was at Forrester. I don't like the term and think we should stop using it, as it’s both misleading and unforgiving in a corporate environment.
My view is:
Firstly, you have to trust something, so it’s not Zero Trust. For a start, you need to trust your authentication systems, otherwise, nobody is getting access to anything!
Secondly, the term just doesn’t sit well with corporate executives who are trying to empower employees and allow them greater autonomy and flexibility in ways of working. To announce at a town hall meeting that your security team are now following a Zero Trust approach brings visions of old fashioned and out of date practices where ‘security says no’.
I much prefer the term Adaptive Trust, where you can raise and lower the bar for authentication requirements based on the context of what is being requested, which is what you implement in a real-world scenario.
Insider threat is an increasing concern. With the huge upturn in home working, a lot of organisations are feeling like they have lost some level of control as they don’t have eyes on people as much as they used to. However, I don’t think this is a major concern as the technology is there to give us the visibility and controls required, provided your organisation has acted quickly and rolled it out - think EDR (endpoint detection & response), CASB (cloud access security broker), Private Network Access and so on…
Security leaders need to keep in mind that Zero Trust is more of a philosophy than a technical solution. You need to deploy security controls that can challenge harder when the risk is higher, and to do this you need solutions that provide a high level of confidence in the identity of both the users and devices. You need an understanding of the context of individual requests for access or data, and central to making everything work there needs to be a policy that helps orchestrate when to allow, when to deny and when to request additional verification.
It's a bit of a cliché but identity really is the new perimeter, and to use identity effectively you need as much context as possible. It's not just about ‘is this person who they say they are?’, it's about where they are, what device they are using, what time of day it is and whether the actions they are taking are in any way unusual (e.g. logging into a finance system at 3am when they have only ever done that 9am-5pm previously). It's a difficult thing to get right, but improving Identity & Access Management (IDAM), should be at the top of the priority list for all security teams.
The views of Richard Brinson, CEO of Savanti
As Chief Executive Officer, Richard is responsible for the strategic direction and growth of the business. An experienced FTSE 100 Executive and Board Advisor, he has been providing strategic security guidance to many of the world’s largest global businesses for over 20 years.
Richard holds an MSc in Information Security from the Royal Holloway University of London.
If you want to find out more about Savanti and their various cyber security services, please get in touch firstname.lastname@example.org, visit the chat function on our website: www.savanti.co.uk or fill in the below details: