Trust or Zero Trust, That’s the Question

CISOs’ Job is To Put Technical Controls in Place to Manage Risk

istock 509609868
sorbetto

Several studies, over the years, point to the fact that people are wired to trust the likelihood of good things happening to them. Even when confronted with the true odds of likely outcomes, they often tend to think they will somehow fare better than the average. The recent rude awakening from our collective complacency, that we still endure, has roused in us a deep need to protect against further perceived risks and take back some of our sense of lost control. This has, in my case, triggered a lot more thinking about the Zero Trust Model in cybersecurity.

Originally proposed by Forrester, and later adopted more ubiquitously, Zero Trust really suggests that it is no longer adequate to subscribe to the traditional model of perimeter-based security. We must implement cybersecurity controls inside of the perimeter across people, devices, data, networks and workloads. This can be done by leveraging a combination of tactics such as strong identification, authentication and authorization, isolation, segregation, encryption, obfuscation, automation and the like.

Zero Trust also means that we assume we are constantly under attack or compromised, and build controls that leverage a data-centric security architecture, based on that assumption. Another interpretation of Zero Trust that a senior industry leader shared with me, is even if we do have defense in depth, at each operating control we subject transactions to the maximum possible scrutiny within that particular control, because we assume no trust.

Trust and Risk Management

I, however, believe that CISOs are in the business of trust. Then again, they are also in the business of risk – more precisely risk management. Fundamentally, their job is one of balancing risk-acceptance and risk-mitigation decisions so greater trust can be created.

In fact, all human beings are wired to trust, even if we do trust poorly on occasion. Trust is a survival mechanism that has served us well – see how being socially engaged (an indicator of trust) has proved an advantage is our struggle for survival. That said, our readiness to trust sometimes spells trouble. At a collective level, that doesn’t matter very much so long as more people are trustworthy than not. At the individual level, though, it can pose real problems. To endure as individuals, we’ll need to learn to trust judiciously.

What if we applied the same logic of trust at the collective level, and caution at the individual transaction level in the context of cybersecurity?

Think of how banks and merchants leverage the Trust Model to authorize payments. The ATM switch processes millions of transactions every day based on the trust model of authorize and settle. Identity and authentication federation models have been around for years to establish fundamental trust across functions and organizations.

Cards verified by secure code is another good example of trust built through authentication and authorization.  For all of this to work viably, at the collective level, there needs to be technical controls that can be trusted to judiciously grant or deny access - case by case. This means establishing a robust model where handshakes have the highest level of integrity and are then followed by authorization. To put a model such as this in place is a job for CISOs and their teams.

Leveraging Zero Trust to Enable Trust

Once the Trust Model is established, Zero Trust thinking can make it even stronger by bringing in:

  • Thoughtfully designed controls and responses based on the notion that the enterprise is constantly under attack.
  • Continuously evolving and improving security across people, devices, networks, data and cloud within as well as outside the organization.
  • Without assuming each control is self-sufficient, building strong multi-dimensional and comprehensive controls that subject transactions to the maximum level of scrutiny that’s possible within that particular control. It is important that this be done within the larger canvas of defense-in-depth.

And steering back to the question that I first raised – Trust or Zero Trust – perhaps the answer lies in the fact that the real outcome zero trust aspires to deliver is, after all, trust.

 

Related:

Copyright © 2020 IDG Communications, Inc.