Select Page
What Is Zero Trust Anyway

What Is Zero Trust Anyway?

Darrell Jones

About three minutes into planning this post, I had one of those “god, I am old” moments. Here is why I had the moment. I have worked in cybersecurity since 1994. My first job was at a big 3 working for the U.S. government through one of the world’s largest law firms. Yes, it was complicated. Back in those days (said in the voice of an old man,) cybersecurity wasn’t even cybersecurity. It was just security. Information security wouldn’t become a thing until the early 2000s. Networking of computers was just getting off the ground. See what I mean? I started a long time ago.

The point of this is that even back when computers were just being networked, and cybersecurity wasn’t a thing, and the position of CISO would be considered witchcraft, there was a principle in IT architecture named “Know Your Computer” (KYC) or later “Know Your Network” (KYN). This principle’s origin was from the 1990s finance industry. Basically, to sell more products to their current clients, they would attempt to learn everything they possibly could. Remember this is at the VERY beginning of the internet. The huge databases about users and their likes, dislikes, and purchase habits after midnight were decades away.

KYC or KYN, as illustrated, are old principles that have been around for a long time. Now they have morphed into many things over the years, and today they are called Zero Trust. It would be unfair and unjust to compare the complexity and technical detail of today’s IT versus yesterday’s. On the other hand, there are lessons learned from a simpler IT time that still have value today.

KYC or KYN

They are old concepts, but the principles still are relevant in today’s IT environment. Frankly speaking, Zero Trust is the latest iteration of the KYN concept. See below:

KYN

Zero Trust

Know what the purpose is of all devices on the network

Limit access to all devices on the network to only what they need to do to fulfill their role

Document the behavior of all the systems on the network and alert on deviations

Document the behavior of all the systems on the network and block all other actions

Document your data flows

Document your data flows and alert on changes

Create regular forums to review changes and updates to the network systems

Regularly review alerts and violations of the Zero-trust controls

I could go on, but the point seems pretty clear. Now, KYN doesn’t line up perfectly with the Zero-trust model. The threats and complexities of computer networks simply did not exist in the 1990s. 

What Is Zero Trust Anyway?

We have all been in the industry for years. Even if you have been in the industry for only days, you have read, been sent emails, been called by vendors, been invited to webinars, seminars, or drum circles selling Zero Trust. Every vendor, no matter what technology, is selling their product as the latest Zero-trust miracle cure. There have been many of the industry fads, and that is not the point of this post. This post is to explain Zero Trust and different strategies to deploy it affectively and economically. 

Zero Trust is a philosophy. Simply put, do not allow anything to occur on the network that you are responsible for that you do not already know about. Like all philosophies, that is a simple thing to say, easier to understand and hard to implement. You may be asking, yourself “I have 5k endpoints, 40 cloud providers, 800 servers, and 600 applications. Does he expect me to swim lane all of that? He is an idiot.” I too said those words to myself regarding my first steps into Zero Trust. I too called someone an idiot. Then I started to think about how I would answer the questions that I would be asked by some business development exec who read the words Zero Trust on the back of a magazine while flying cross country. “Quick question XXX, what is our Zero-trust Strategy? I need to understand it, so create a quick three-slide deck explaining why we are world class at it.” I started with what our crown jewels were. Others call it the High Value Asset (HVA) List. Whatever you call it, that is where you start. 

Step one is documenting the Who, What, When, Where, and How the HVAs are used. This will most likely take the form of interviews with the business users. NOT the business leaders. You need to get their blessing, but the actual people using the HVA are the ones that you need to work with. Artifacts of these interviews will be computer workstation names, usernames, applications, business process documentation, and data flows. Now that you have answered those questions, you can build a Zero-trust Strategy around that HVA. If it is not accessed remotely, then you can remove that access. If only a limited number of users need access, remove all the rest. If a limited number of computers need access, remove the rest. If the process doesn’t transfer data via email, then put in a DLP block to eliminate that data transfer mechanism. You are just building walls around the business processes. You are not changing it, and that is a point that needs to be stressed when you work with the business. You are not going to make their day-to-day experience worse. Each time you put in the control, make sure you have alerting to changes. If you access groups for user access, then if that group membership changes, make sure you have an alerting strategy to notify both the business and cybersecurity operations of the change. Perhaps it was not expected or approved, and you have uncovered something before any damage occurs. 

Your program may not have the controls in place to implement that needed control on that HVA. You have now documented your business justification for the new control. I would suspect that your program probably already has the technical capabilities to implement the needed controls. A Zero-trust Strategy only allows you to do two things. Number one, use the new-fangled lingo to describe your efforts and needs. Number two, focus your teams’ efforts on the HVA list. Trying to deploy Zero-trust Strategies across an entire enterprise at once is a fool’s errand. Start with the most important assets in the organization first. 

RELATED POSTS

Stagehand: S1 Episode 8

Stagehand: S1 Episode 8

Carl Timmons was given 24 hours to decide what he wanted to do. This was a tactic. Twenty four hours to sit alone and think about all the money he could want and the price he’d pay for it. And 24 hours to also contemplate what Andre Savin might do to him before...

Stagehand: S1 Episode 7

Stagehand: S1 Episode 7

Andre Savin and Lincoln Palmer had met on several occasions and had the type of relationship you’d expect between two men of their standings on the billionaire scale. Contemptuous but also understanding. They were both driven by the same desire—access to...

Stagehand: S1 Episode 6

Stagehand: S1 Episode 6

Belfast, New York - 1889 They called him The Boston Strong Boy—arguably the first real boxing star and one of the highest paid athletes of his time.  He’d always been good at school. He attended Boston College where his parents thought he might pursue...

Stagehand: S1 Episode 5

Stagehand: S1 Episode 5

Kuwait, 1990 I’m launched out of a submarine a few miles off the coast of Kuwait City. When I swim to shore, I quickly change into my dry land clothes—a full burka. I was a six-foot-one Marine posing as a good Muslim woman. The catch, beneath the modest...

Ransomware: When Policy Matters Most

Ransomware: When Policy Matters Most

Most CISOs divide their approach to cyber defense into three pillars: people, technology, and processes. These pillars define a cybersecurity program’s defensive architecture and arsenal, available assets, and policies and procedures that together inform...

Selling to a CISO? Practice Empathy, Not Salesmanship

Selling to a CISO? Practice Empathy, Not Salesmanship

The cyber security marketplace is hot. Ask any candidate for a cybersecurity role. Better yet, ask any supplier to CISOs. The supplier audience is especially vast, and it’s continuing to grow. Just three years ago, there were estimated to be less than 2,000...

The Risk of Measuring Risk

The Risk of Measuring Risk

Automated measuring of control effectiveness is a very good idea conceptually. When you can combine control gaps with relevant threat information, you get a very good picture about the actual technical cyber risks your business faces. If done correctly, it provides...

Stagehand: S1 Episode 4

Stagehand: S1 Episode 4

Keith and I left the scene like we found it: the two kidnappers dead on the floor, their shotgun up against the wall, and the rope used to tie up Carl Timmons sprawled out on the floor. We tipped off local law enforcement and were gone before they arrived, leaving no...

SecOps Needs More Democratization, Not Less SOC

SecOps Needs More Democratization, Not Less SOC

An increasing complexity of technologies, as well as an increasing number of failures and attacks followed by an increasing dependency on business goals is changing the way we run Security Operations Centers. I previously discussed the concept of a Fusion Center as an...

Measuring a Cyber Awareness Culture

Measuring a Cyber Awareness Culture

Until recently, cyber awareness metrics have been treated by many as a tick-box exercise driven by regulations. The regulator requires x number of hours of cyber awareness training per employee per year, and once that is done, the organisation ticks a box and waits...

Good Enough Isn’t Good Enough Anymore

Good Enough Isn’t Good Enough Anymore

The cyber risks we face today are more than we faced previously but also fundamentally different in several respects. Our adversaries are more adept and their tools and tactics more protean in capability.  In light of these increasing challenges, our cyber defenses...

Stagehand: S1 Episode 3

Stagehand: S1 Episode 3

Cyprus ~ 2006 Ali Hassan was a low-level operative in Hezbollah, but we had it on solid authority that he knew where three high-level leaders of the terrorist organization were hiding. Keith arrived fifty-seven hours into Hassan’s interrogation and by the looks of it,...

Mitre Disrupting Advanced Persistent Threats
Share This