Zero Trust is an “always-on everywhere” approach to security. It is a contrast to traditional legacy trust models in which security is “sometimes present in some cases.” Legacy trust models were a low-cost, high-value approach to increasing an attacker’s efforts, but in an era of attacker automation and supply chain compromise, that is no longer true. Legacy trust models are broken by this combination of automation and supply chain attack.
There are three main takeaways from this discussion on Zero Trust:
Zero Trust involves identity risk management and continuous assessment. This means the security insights that come from Zero Trust are far more accurate than traditional IT security models. By being more accurate, they can be more automated, less manual, and less heavily staffed. They also are less likely to interrupt revenue. Since confidence in the accuracy of data means you need less data to make the same decision, processing and storage costs related to the cloud can be reduced. This always-on, continuous assessment method of Zero Trust could be thought of as a mandatory, “opt-out-like” model.
While most Zero Trust messages describe it as “Never trust, always verify,” a better description is “Guilty until proven innocent.” All users, devices, and transactions are always considered suspect. There is no trusted safe haven in which a hacker or fraudster can hide from the network’s probing eye. By trusting zero entities, transactions, devices, or users, there is no perimeter to get through. There is no hacker saying, “I’m in,” because there is no “in.”
Zero Trust could be thought of as the reverse of traditional manual security models. It is “opt-out-like” instead of “opt-in-like.” In traditional models, enterprise security risk is assigned by staff with little or no central guidance by identity architects. Identity registrations, rights and privilege assignment, inventory management, incident management, and investigations are all typically performed without enterprise business, identity, security, and architect guidance and are therefore fragmented. Often, the staff responsible for these functions do not have any insight into the business-relevance, enterprise risk, or potential revenue loss related to the powers they give these identities. When blocking, traditional security functions are done because of this “best effort” work, and risk actually increases within the enterprise as the likelihood of revenue-impacting, false-positives increases (such as Cart Abandonment). These false positives either increase the chance of production network outages (and other failures) or increase the number of senior staff needed to apply judgment in fixing these.
Security is itself a risk, and (pre-Zero Trust) security creates costs by doing its job in a traditional, blunt way that ignores context. An example is that mission-critical functions such as those in a smart factory might be interrupted by non-Zero-Trust security with immediate impact of millions of dollars per minute. Yet another example is of non-Zero-Trust security blocking life-critical telecom or hospital networks, with immediate impact on human life.
When Zero Trust security context is recognized and responded to, the output of the security action is much more accurate while addressing business priorities such as revenue, life criticality, and/or mission criticality. What this means is that when business risk priorities are added to systems such as Zero Trust that handle security risk, in effect the Zero Trust system is actually enforcing business risk reduction through security risk reduction. This is a profound improvement to traditional security models.
“Supply Chain as Kill Chain: Security in the Era of Zero Trust” is a forward-looking, exploratory paper that highlights the distinct aspects of Zero Trust. While other papers focus on technology, this paper focuses on the use and value of that technology, focusing on the “why” rather than the “how” of Zero Trust. Given the nature of the piece, this paper can be considered a thought leadership piece for possible use in executive planning, rather than a landscape review of the current state of the industry or a product-centered pitch.
A reader could have the following three main takeaways from this Zero Trust paper:
“As the world becomes less stable due to climate change, age, war, supply change disruption, and the resulting aggressive, fierce competition for dwindling resources, a more sophisticated, nuanced, and cost-effective approach to security will help the healthiest organizations survive.
To learn more about Zero Trust Architecture and how enterprises can utilize its advantages, read our report “Supply Chain as Kill Chain: Security in the Era of Zero Trust”.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.