Zero Trust: Enforcing Business Risk Reduction Through Security Risk Reduction
Zero Trust is an “always-on everywhere” approach to security. It is a contrast to traditional legacy trust models in which security is “sometimes present in some cases.” Legacy trust models were a low-cost, high-value approach to increasing an attacker’s efforts, but in an era of attacker automation and supply chain compromise, that is no longer true. Legacy trust models are broken by this combination of automation and supply chain attack.
There are three main takeaways from this discussion on Zero Trust:
- Zero Trust highlights sources of low-credibility data, providing insights on where investment can reduce automation costs and labor.
- By knowing the identity risk of internal, external, human, and device resources, “internal” and “external” data supply chains can be handled identically and transparently.
- Zero Trust can secure gaps that can be found in omnichannel and next-generation retail.
Exploring the concept of Zero Trust
Zero Trust involves identity risk management and continuous assessment. This means the security insights that come from Zero Trust are far more accurate than traditional IT security models. By being more accurate, they can be more automated, less manual, and less heavily staffed. They also are less likely to interrupt revenue. Since confidence in the accuracy of data means you need less data to make the same decision, processing and storage costs related to the cloud can be reduced. This always-on, continuous assessment method of Zero Trust could be thought of as a mandatory, “opt-out-like” model.
While most Zero Trust messages describe it as “Never trust, always verify,” a better description is “Guilty until proven innocent.” All users, devices, and transactions are always considered suspect. There is no trusted safe haven in which a hacker or fraudster can hide from the network’s probing eye. By trusting zero entities, transactions, devices, or users, there is no perimeter to get through. There is no hacker saying, “I’m in,” because there is no “in.”
Zero Trust could be thought of as the reverse of traditional manual security models. It is “opt-out-like” instead of “opt-in-like.” In traditional models, enterprise security risk is assigned by staff with little or no central guidance by identity architects. Identity registrations, rights and privilege assignment, inventory management, incident management, and investigations are all typically performed without enterprise business, identity, security, and architect guidance and are therefore fragmented. Often, the staff responsible for these functions do not have any insight into the business-relevance, enterprise risk, or potential revenue loss related to the powers they give these identities. When blocking, traditional security functions are done because of this “best effort” work, and risk actually increases within the enterprise as the likelihood of revenue-impacting, false-positives increases (such as Cart Abandonment). These false positives either increase the chance of production network outages (and other failures) or increase the number of senior staff needed to apply judgment in fixing these.
Reducing the blast radius of security response
Security is itself a risk, and (pre-Zero Trust) security creates costs by doing its job in a traditional, blunt way that ignores context. An example is that mission-critical functions such as those in a smart factory might be interrupted by non-Zero-Trust security with immediate impact of millions of dollars per minute. Yet another example is of non-Zero-Trust security blocking life-critical telecom or hospital networks, with immediate impact on human life.
When Zero Trust security context is recognized and responded to, the output of the security action is much more accurate while addressing business priorities such as revenue, life criticality, and/or mission criticality. What this means is that when business risk priorities are added to systems such as Zero Trust that handle security risk, in effect the Zero Trust system is actually enforcing business risk reduction through security risk reduction. This is a profound improvement to traditional security models.
Enforcing business risk reduction through security risk reduction
“Supply Chain as Kill Chain: Security in the Era of Zero Trust” is a forward-looking, exploratory paper that highlights the distinct aspects of Zero Trust. While other papers focus on technology, this paper focuses on the use and value of that technology, focusing on the “why” rather than the “how” of Zero Trust. Given the nature of the piece, this paper can be considered a thought leadership piece for possible use in executive planning, rather than a landscape review of the current state of the industry or a product-centered pitch.
A reader could have the following three main takeaways from this Zero Trust paper:
- Data hygiene. Zero Trust highlights sources of low-credibility data, providing insights on where investment can reduce automation costs and labor. Zero Trust-derived data hygiene reduces the risk of Decision Contamination (a kind of fake news consumed by executives and AI). It also supports decisions of increased accuracy made with less data, which has the effect of reducing cloud storage and processing costs.
- Supply chain security. By knowing the identity risk of internal, external, human, and device resources, “internal” and “external” data supply chains can be handled identically and transparently. The incidental benefit of this approach is that the use of common global identifiers (federated identities) makes it easier to sell into other very large enterprises such as federation members (interoperability is cheaper when common unique identifiers are used). These include governments and their suppliers.
- Omnichannel and next-generation retail. Omnichannel is the concept of “all channels, one experience.” Customers engage with your enterprise, rather than with individual services or departments. When bringing these together there are many opportunities for cost savings, but also fraud and cybercrime. These gaps can be secured using Zero Trust for traditional purchases as well as mobile online shopping. These gaps can be secured whether the purchase is made by humans with phones or by roaming autonomous cars and can be configured to meet unified integrity demands between billing and data networks. This omnichannel unity can also be used in meeting compliance requirements.
“As the world becomes less stable due to climate change, age, war, supply change disruption, and the resulting aggressive, fierce competition for dwindling resources, a more sophisticated, nuanced, and cost-effective approach to security will help the healthiest organizations survive.
To learn more about Zero Trust Architecture and how enterprises can utilize its advantages, read our report “Supply Chain as Kill Chain: Security in the Era of Zero Trust”.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.