From Hero to Zero: navigating the Zero Trust journey
Updated: Nov 19, 2020
The notion that hubris can be more deadly than any foe is nothing new. It just keeps popping up in new forms, and that means that we need to stay vigilant. In that spirit, let’s take a look at the changing role of security professionals in the coming age of Zero Trust.
A Zero Trust implementation delivers access control, policy enforcement, governance, etc. all while explicitly avoiding the assumption that simply because a legitimate user has appropriately accessed an asset in the past, that the current access request is from that same legitimate user OR that the asset itself hasn’t been compromised in the meantime. Zero. Trust. even in the very recent past – inside or outside of a local network.
The expert security professional has to publicly and deliberately assume, in spite of their best efforts, that their perimeter-oriented controls will, at some point, fail. Zero Trust calls for humility not infallibility.
The ideal Zero Trust implementation (the north star) would dive down to an extremely fine-grained asset atomicity or “trust zone” and would be enforced on a session-by-session basis. The "trust algorithm" employed at the "Policy Enforcement Point" would incorporate historical behaviors, outside intelligence, ML, continuous monitoring and a wide variety of other innovations in real-time all without undue impact on user experience, performance, reliability, and expense. That's ambitious.
For most every enterprise, Zero Trust will not be next year’s model. Zero Trust is a continuing journey towards that ideal. Today’s security professionals are going to need to be the ones to help us all navigate our way. Yet, for the most part, we don’t cast security pros as navigators – we cast them to be more like the local sheriff – and herein lies the problem.
The archetypal security professional projects that quiet, battle-tested gravitas that commands authority while keeping the peace. Like the proverbial small-town sheriff, the security professional sits between us and the outside world doing what needs to be done to keep our little corner of the world safe. Some might argue that “keeping the peace” (keeping everyone calm and so that we can carry on) is as important to an organization as the actual work of securing people, process, and things.
So how can we help them help themselves be navigators in Zero Trust waters and thereby help us all on our journey?
Reward security pros for being a “learn-it-all” and not a “know-it-all” and for planning for miscalculations rather than striving for infallibility. What might that look like?
Give them permission to say – “Even though we’ve spent a ton of $$ on network security and mobile device management and I can’t think of a single way someone could break-in to one of our privileged accounts, we still need to assume that I’ve missed something. Here are the additional steps we need to take so that every time a privileged app or user requests access to a sensitive asset, we can start with the assumption that both requester and the asset may have been compromised.”
Experience should breed humility – not over-confidence. We don’t need heroes (and certainly not super-heroes). What we need is someone more like a sea captain who has fought the ocean and lived to tell about it rather than a small-town sheriff who will be forever outgunned and outmanned.
What do you think the most important personality traits are for a modern security professional?