The Price of Distrust
Zero Trust – The Case In Favour
I’m like Zero Trust models. It’s a robust design ethos and the granularity of response it offers is currently unparalleled. In an increasingly Cloud first (or only) world with evergreen SaaS services it’s an achievable technological goal, offering a response and mitigation to almost anything the world throws at your environment. It allows enhancements and adaptations to the ever-evolving threat landscape.
But...
I use Domain Driven Design approaches to work out the right tool for the job at hand. Where Zero Trust is being discussed I spend most of the initial engagement exploring whether it is right for the organisation and environment in question. Because Zero Trust is beautifully expansive, nuanced and granular. Or in other words it can be huge, complicated and complex. Poor implementations could leave you more vulnerable than before in exchange for a lot of time and money, a fairly bad equation. It’s not a beginners model and will take longer and cost more than you thought. And you’ll still get breached. One of the fundamental assumptions for Zero Trust adopters is “assume breach”, scant comfort for something you poured your teams hearts and minds into.
So why all the fuss?
Zero Trust is catchy, easy to market and plays neatly into the Fear, Uncertainty and Doubt (FUD) of cyber security. It is based around the ability to respond to unknown and future threats (zero days will feature). And it will help. Probably. When it’s matured. The other bonus is that it’s agnostic – no one vendor or solution can deliver Zero Trust implementation and there’s few products that can’t fit into it. So it doesn’t constrain your market choices. Or help you make investment decisions. You could buy everything.
There are problem statements and scenarios ideal for Zero Trust models that are hard to cope with using other approaches. Here’s some scenarios where Zero Trust might be right for you:
- A complex supply chain with direct access from 3rd party managed (or unmanaged) devices to data and services;
- The business model relies on effective collaboration with 3rd parties on sensitive data with a high risk of harm if compromised;
- The nature of the business is dynamic, notable shifts in behaviour within the environment may well occur in a standard planning cycle;
- Any shift in the pattern could indicate a tangible threat;
- Devices and services accessing data are disproportionately outside of the organisational sphere of control;
- Preventing legitimate business usage is potentially more harmful than a compromise.
Tick some or all of those boxes and you should definitely consider Zero Trust. There’s plenty more examples where it’s a good fit. But if the business doesn’t have those characteristics then you will get less value from the model. If the supply chain is simple, most business is conducted internally on managed assets and the nature of the work doesn’t experience dramatic shifts then there will be a simpler way of achieving a good level of cyber protection.
So what now…?
You’ll hear a lot about Zero Trust for the foreseeable future. Some folk are going to try and sell things off the back of it. So what should you do? Whoever proposes it, ask these questions:
- How does this model support the business strategy and organisational objectives?
- How much existing investment can work effectively in that model?
- How will adopting this allow our people to work effectively in an appropriately secure manner?
If you get good answers, then try it. If you don’t, take a step back and wait for better answers.
Nine23 provide Cyber Security solutions (OFFICIAL-Sensitive) that enable the frontline end-users in today’s workplace to use current technology, securely. Click here to find out more