By Dr. Chase Cunningham aka Dr. Zero Trust
There’s a lot of marketing and material out there that talks about how to have a better defensive posture. Zero trust is the new term that everyone is using for the future state of enterprise security. That’s great. It makes a lot of sense to enable zero-trust strategically over time to move towards that do more effective, realistic approach to security. Organizations are going to be more remote their employees will be more dispersed geographically and zero trust strategically, if employed correctly can help enable that move for that new workforce. This has been proven during the COVID-19 pandemic as organizations had to enable this model whether they liked it or not to survive. If there were any doubts, we have proven over the last two-plus years that the new model of work is possible and, in most cases, more effective than the old model. Security must evolve with that new model of work. That’s a given, understood, we got it.
But what if you choose to ignore that reality? What if you as an organization say that you are the one organization that nothing bad will ever happen to you no one would come after you, and you have nothing of value that any entity or nation-state adversary would try to get at? What if you think that you are the unique Unicorn that is connected to the Internet and even though thousands of companies just like you have been compromised, and breached they have gone out of business because of their lack of willingness to adjust to reality, it won’t be you, right?
That’s the question that the bad guys want you to ask. The adversaries, the hackers, the nation-states, all those entities that are out there waiting in the weeds hoping that your organization will think that you are the one entity who doesn’t need to subscribe to reality are praying that you ask yourself those very questions. The bad guys are out there, and they are waiting in many instances there are already inside of organizations possibly inside of your organization hoping that you’ll take the bait and continue to ignore reality and thank your special. The bad guys want you to not enable zero trust. That’s how they win.
Technically speaking what the bad guys want is for you to have moved to a more dispersed, more geographically diverse, more cloud, more apps, more devices, more accounts, and more everything digital infrastructure. And they want you to have done it very quickly. Which is what you’ve already done. The bad guys want you to use remote connectivity to connect your users from their home offices, from those unmanaged devices, and those unmanaged networks directly into your corporate resources. They want you to open those ports, use less secure protocols, not mandate good inspection, and not use the data that is bouncing around your enterprise for better alerting and response capabilities so that they had the upper hand.
The bad guys want you to use legacy technology, and legacy approaches to the problem, that’s good for them. They want you to connect your users via VPNs. bear hoping that you have subscribed to the castle and Moat strategy of cyber security. They want you to have a lack of segmentation and isolation capability across the infrastructure. They want your cloud resources to be connected and directly piped to everything across the Internet. Which they probably are. The bad guys want you to not use things like multifactor authentication or password-less authentication. Technically speaking the bad guys want you to continue doing what you’re doing and sit around hoping that again you’re special you don’t need to change. Like a lion in the tall grass there licking their chops looking for the slow gazelle on the cyber-Serengeti, and perhaps that’s you limping across the plains while the predators are waiting in the weeds.
The bad guys are hoping that you don’t realize the fundamental controls that are needed to enable better security postures have been widely publicized and the gospel of better security has been preached by a variety of leaders across the space, they want you to have ignored those publications, the documentation, the reference architectures. The bad guys are sitting there in their chairs in front of their machines wanting you to have ignored an entire movement across the planet, but it’s focused on a new approach to the problem with better technology that is more aligned to the future of work, that’s what they want.
Many people think that zero trust is an extremely difficult strategy to put in place. That’s a fair thought, change is always difficult. And nothing worth doing is ever easy, at least in my experience that’s been true. But if you look at the things that the bad guys want, the things that they need to be successful technically, and remove some of those things you’re beginning to enable zero trust in tipping the scales back in your favor. A few very simple things that can be applied technically to help tip those skills could be things such as:
Assume Breach. Isolate Every Endpoint - Enforce inter and intra-VLAN policies using autonomous profiling and grouping to stop lateral threat movement.
Enhance Digital Visibility - provide visibility for all traffic flows, including authorized and unauthorized communications, between all devices in a shared VLAN.
Employ a Ransomware Kill Switch – use a Ransomware Kill Switch, to instantly shut down all lateral traffic when ransomware is detected on the network.
Use an Autonomous Policy Engine - auto-enforce business policies as devices enter and leave the network with autonomous policy controls.
Secure Asset Access - reduce the attack surface by eliminating network-level access to high-value assets and adding an additional layer of security with mandatory SSO and MFA authentication for access to the organization’s critical assets.
The real question you should be asking yourself is are you going to give the bad guys what they want? Are you going to roll over belly up and put your business, your employees, their future, their family, and your future, your family on the line simply because you were unwilling to accept the reality of this space, and are unwilling to move towards a new but a different approach to the problem? Even though you have thousands of instances of proof that this is the truth, and a three-decade-plus long history of an evolution towards a better approach will you continue to ignore the technologies and capabilities that are available now that could change the game and tip the balance of power into your favor?
Change is never easy, and technical change can be even more difficult. That doesn’t mean that it’s not worth it. The changes that you need to enable to be more secure are not any more difficult than anything else your business has had to deal with to be more digital and enable future work. Yes, there are nuances, and yes there are different requirements, but change is change. It boils down to two basic choices. You either choose to do something different and enable a better workforce and ultimately a better business or used to choose to think you’re special and that the bad things won’t happen to you and that you’re different than the thousands of other organizations and you ignore what your business and your workforce want, and you’ll fail.