Zero Trust — OR — Ego, the Cat, and Clifford the Big Red Dog
Let’s talk about trust, access, ego, and security. Trust is a human concept.
Online security is changing fast.
Change is hard — but sometimes it’s not as hard as we imagine. Let’s talk about trust, ego, security, and the consequences of hiding our heads in the proverbial sand.
Global cybercrime rakes in trillions every year, ‘ransomware-as-a-service’ is a booming industry, and as far back as May 2020, the UN estimated there was a cyberattack every 39 seconds.
Back to “change is hard”.
Trust is a human concept.
Computers don’t trust, they verify.
Computers verify through the confirmation of triggers. For example: an email password is a trigger. Your password is a trigger that tells the email platform to allow access to your email. Notice that the password is the trigger, not you. The computer has no idea who you are.
Zero Trust is about simplifying
Simplifying minimizes access to digital resources so that damage from malice, carelessness, malware, ransomware, etc. have limited reach and cause as little damage as possible.
Zero trust means removing ALL unnecessary digital access from each person AND each digital resource. Access between each digital platform, program, cloud/on-site resource is evaluated in the same way as access between people and the system resources they use.
Zero Trust does not differentiate between honest, dishonest, careful, careless, or malicious. Zero Trust considerations are only about interactions within the system. The system is made up of (1) people and (2) a series of linked digital resources: computers, phones, servers, and more, powered and accessed through various platforms, portals, browsers, routers, power-cords, and internet connections.
Computers can’t actually know if you are you — or Bob, or Alice, or Clifford the Big Red Dog. Your computer doesn’t trust you it trusts the triggers it receives: a Level 1 password is a trigger for access to Level 1 digital assets (email, accounts, cloud storage), and so on. It can not account for malicious intent, honest hard work (are you working from home?), malware in your internet access, or your cat walking across the keyboard (presumably being chased by Clifford). 🐶
The basis of Zero Trust is simply this: if someone doesn’t need access to a digital asset — really NEED access — they should not have it. “Need” does not include:
- “I’m the boss so I should be able to see everything”
- “I’m the Admin so I need to be able to hand out passwords when the bosses forget theirs”
Or my personal favourite:
- “I’ve been here since this place opened — it’s insulting to cut me out — you’re telling me you don’t trust me.”
Zero Trust isn’t about who you are as a person, as an employee, or as your boss’ trusted save-the-day Admin. It’s about…
What happens if:
- What happens if a team member doesn’t understand technology well, and their home network, charging cables, or usb keys are infected with malware?
- What happens if a team member DOES understand technology well and is very careful BUT… as we all know, bad things can happen to anybody, and they generally do at some point?
- What happens if a team member DOES have a tendency to dishonesty?
In our world “privileged access” is so often equated with “trust” “importance” and “respect”. “Digital access” (passwords, system access) can be a form of self-esteem, company status, and unspoken respect from peers who may not have such exclusive access.
For whatever reason a particular person has access to a system — inherited access, current need, or bad planning — this access must be audited regularly and removed or amended according to ONE parameter: need. Do they need access? Why? How/when/where is access needed? And just as important: do they actually use this access, or is it just an idle, open pathway for cybercriminals looking for easy access (see “my personal favourite” above).
Why do these questions matter? Let’s look at this in a different way.
What keeps you up at night?
Imagine getting a call in the middle of the night that spikes your adrenalin: your company’s online systems have been BREACHED.
Then imagine that you relax, because you remember that all computer access is compartmentalized. The damage is limited and the only shutdown required is the infected computer and the limited systems it could access. For the rest of the company, it’s business as usual — except for the security team, of course. The will be running forensics on the infected computer (and affected systems), security checks for the entire system, and reboots of missing information (yay backups).
Imagine a world
Imagine a world where entities such as ransomeware companies (yes — ransomware is a thriving business) and “I can clean your computer that you didn’t know was infected” calls are thwarted constantly by a Zero Trust culture of digital access based on need, not ego.
A culture that does not validate actions such as (real-life example): “The CTO isn’t one of us — I need to keep my access to the master passwords and remove theirs. Outsiders should not have them.”
But instead validates reality, tempered with empathy, communication, and an adventurous spirit: “The new CTO/CISO is a great leap forward. We have updated our password access AND the access between components of our online system. The master password list is in the hands of our trusted CTO/CISO, and there are encrypted and hard-copy lists held by one of our offsite professionals (lawyer is a good choice).
The Final Takeaway
Your security team can’t fight (successfully) both the cybercriminals AND the ego-based culture. AND as a client, you need clear information and training. So — give each other a break… and maybe a coffee, a doughnut, a pizza, and a “thank you” — and remember: