Zero Trust as Learned from My Grandmother

CJ Hurd
4 min read
February 2, 2022 at 3:00 PM

I have a line I use with my kids (mainly my teenagers, not so much my nine-year-old yet); “I trust you until I don’t”. They know the line well and sometimes will even finish it for me. I have raised them to hopefully make good decisions and to tell the truth, with the idea of keeping them and their friends out of unsafe or bad situations. It has taken almost seventeen and fourteen years to build that trust and they understand that once that trust is gone, I have no idea when (if ever) it can be restored. I would not call that Zero Trust, but I also don’t think Zero Trust would work for my teenagers…

I had a Commander during my twenty-one years in the Coast Guard that always used the term, “trust but verify”. It was similar to Zero Trust before the term officially started being used – the idea that you couldn’t really trust anything until it was verified. I still live by this and think of him every time I use the line. I would call that my first introduction to Zero Trust.

Then I come around to my grandmother (Nana). This sweet woman who just reached ninety years old must have six vacuums in her house. I love her but she is a target for anyone selling anything. I’m not sure if they convince her she needs whatever they are selling, or if she is just so nice, she doesn’t know how to say no. A couple years ago she got a call and was told that she had won Publisher’s Clearing House sweepstakes and if she could provide her name, date of birth, and social security number, that she would receive $10,000,000 and a brand-new Mercedes would be delivered two days later. As you might have guessed, there was never a check, or a Mercedes dropped off. Now I monitor all her accounts as it feels like a matter of time before something bad happens. I have repeatedly told her – TRUST NO ONE! And please call me immediately if someone knocks on your door and hang up if someone is asking for money or personal information over the phone. I would say this is trying to align with the Zero Trust model, but unfortunately has some user error built into it.

What is Zero Trust?

Zero Trust is exactly what it sounds like – never trust, always verify! This sounds like my old commander, right? Rather than applying security policy based on assumed trust, we apply policy in line with the principle of least privilege and strict user authentication. A Zero Trust architecture (ZTA) is an enterprise cybersecurity architecture for all users, assets, and network devices that is based on Zero Trust principles and designed to prevent data breaches and limit internal lateral movement.

Enough definitions – let’s discuss the actual controls that you can implement to work towards a Zero Trust environment. Think of it as implementing layers of security controls that together will create that Zero Trust model. NIST 800-207 is a great standard to align to. You can find that standard by following this link:

Key Principles of Zero Trust

  • Continuously Verify Access – Verify access, all the time, for all resources
  • Limit the Impact – Minimize the impact that an internal or external breach can have
  • Data Collection and Response – Make the most effective and accurate decisions with data that can be acted on in real-time

Zero Trust Pillars

  • Verify Identity – Multifactor authentication (MFA) and strong identity verification required and enforced
  • Verify Device – Devices managed, client health enforced, admin privileges restricted
  • Verify Access – Based on the principle of least privilege, network segmentation
  • Verify Services – Based on conditional access

By all accounts, implementing a Zero Trust architecture that aligns to the NIST 800-207 standard is not an easy or cheap thing to accomplish. What can the bargain shopper implement to work towards achieving a Zero Trust architecture through a layered approach to security?

  • Strong User Identification and Authentication Management – Enforce strong password requirements (15 characters with complexity) as well as requiring MFA for all users. Adding that additional layer greatly reduces the risk of user account compromise.
  • Implement a Device Management Solution – Centrally managing your systems will allow you to enforce policy and ensure endpoints are maintaining the proper client health. Any devices not within policy or not within health standards are automatically disabled or removed.
  • Restrict Access – Access to data should be restricted by need to know through the principle of least privilege. This can be accomplished by leveraging Active Directory or a similar tool to grant access through user groups. In addition, the use of Group Policy will allow you to enforce permissions and disable certain write permissions.
  • Network Segmentation - Segmenting your network greatly limits the likelihood that a bad actor would be able to move across your network in search of a vulnerability that can be exploited. It can also allow you to detect attacks on your network by creating rules to monitor for non-standard behavior.

Our industry has made great strides in establishing a Zero Trust approach to security. You may not be ready to implement a full scale Zero Trust architecture, but I really encourage you to start taking steps towards it. If you do not have any of the controls that we have discussed implemented within your organization, it is time to start planning for the future. Start with an assessment of the controls you have implemented and identify any risks that exist. It is very important that you understand that there are no wrong answers. Covering up or ignoring a risk can be ghastly and a great way to find yourself out of a job. Once you identify these risks or holes in your security, build a plan for how to remediate them. This may likely include assessing and budgeting for tools that align with the Zero Trust model. The team here at Compass IT Compliance lives by Zero Trust, implementing it within our own practice as well as assisting clients across various industries in implementing Zero Trust controls within their own organizations. Contact us today to learn more and discuss your unique situation!

Contact Us

Get Email Notifications

Comments (1)