The dangers of assumptions in security
Assuming things is bad for your security posture. You are leaving yourself vulnerable when you assume what you have is what you need, or what you have is working as advertised. You assume you are protected, but are you really?
Don’t just trust – verify
What am I trying to get at? The new zero trust security model is promising as it looks to include many aspects of the security ecosystem. The underlying intent of the model is to remove the assumption by adding constant verification.
When I talk to customers about zero trust, I see a couple of things that are going to prevent them from a successful implementation.
To be successful, you need to realize three things. First is that zero trust is a philosophy. Second, zero trust is a process. And finally, there isn’t a product, per se, that implements zero trust into your environment. Access or advanced authentication methods do not make zero trust, and neither does the biggest and baddest firewall. Remember, zero trust is about always asking if this activity/action is “appropriate.” To determine that level of appropriateness, you need to consider the risk, the activity, and the identity and the associated attributes to determine access and authentication.
There are three ways a zero trust initiative can benefit an organization:
Agility: zero trust can enable you to run and change your business as necessary – economically, efficiently and effectively.
Security: zero trust can help you identify, protect, detect, and respond to threats and vulnerabilities present in the ecosystem.
Visibility: zero trust enables you to manage, optimize and innovate the value chain, meaning you can see (single pane of glass) what you need to manage.
These elements are a result of the scope zero trust should cover. The underlying pieces that zero trust covers (touches) ultimately enhance an organization’s agility, security and visibility.
A properly implemented zero trust infrastructure builds identity into the foundation because identity contains the relationships and authorization attributes needed to validate activities. It also considers applications because applications execute business and day-to-day processes.
This leads me to data. As you know, data is the end game, and it’s where the digital materials and outputs of applications and processes end. And lastly, the infrastructure is the bridge between the physical and the digital, consistently validating activities is critical to close and limit vulnerabilities. Without all of these connected and working well, a business will struggle to operate let alone adapt to the needs of today’s franticly changing security world. It’s the reason WHY you shouldn’t assume anything.
Taking an integrative approach
Where organizations typically fall down is in trying to bridge the old and the new seamlessly – “big bang” approaches are incredibly high risk, and thus a poor investment choice. This is where I see the most significant number of assumptions.
So, many organizations assume that a little duct tape can go a long way, and without a common “language” for IT components to talk, they become severe constraints. This has become more important now that the value of integrative functions such as elements like Single Sign-On (agility), behavioral analytics (security) and data mining (analytics) have become so relevant today.
So without getting into specifics around product level stuff, you need to consider a couple of things when evaluating a zero trust initiative. The first thing is this, there isn’t a single product that solves this, as it takes a cohesive approach. And second, please don’t assume what you have is all you need, I’ll leave you with this to consider when thinking of your current security posture – when assuming what got you to here, will get you there, I hate to tell you, but it won’t.