4 min read
February 2, 2022 at 3:00 PM
Previous story← Cyber & Physical Security: Why You Need Both
I have a line I use with my kids (mainly my teenagers, not so much my nine-year-old yet); “I trust you until I don’t”. They know the line well and sometimes will even finish it for me. I have raised them to hopefully make good decisions and to tell the truth, with the idea of keeping them and their friends out of unsafe or bad situations. It has taken almost seventeen and fourteen years to build that trust and they understand that once that trust is gone, I have no idea when (if ever) it can be restored. I would not call that Zero Trust, but I also don’t think Zero Trust would work for my teenagers…
I had a Commander during my twenty-one years in the Coast Guard that always used the term, “trust but verify”. It was similar to Zero Trust before the term officially started being used – the idea that you couldn’t really trust anything until it was verified. I still live by this and think of him every time I use the line. I would call that my first introduction to Zero Trust.
Then I come around to my grandmother (Nana). This sweet woman who just reached ninety years old must have six vacuums in her house. I love her but she is a target for anyone selling anything. I’m not sure if they convince her she needs whatever they are selling, or if she is just so nice, she doesn’t know how to say no. A couple years ago she got a call and was told that she had won Publisher’s Clearing House sweepstakes and if she could provide her name, date of birth, and social security number, that she would receive $10,000,000 and a brand-new Mercedes would be delivered two days later. As you might have guessed, there was never a check, or a Mercedes dropped off. Now I monitor all her accounts as it feels like a matter of time before something bad happens. I have repeatedly told her – TRUST NO ONE! And please call me immediately if someone knocks on your door and hang up if someone is asking for money or personal information over the phone. I would say this is trying to align with the Zero Trust model, but unfortunately has some user error built into it.
What is Zero Trust?
Zero Trust is exactly what it sounds like – never trust, always verify! This sounds like my old commander, right? Rather than applying security policy based on assumed trust, we apply policy in line with the principle of least privilege and strict user authentication. A Zero Trust architecture (ZTA) is an enterprise cybersecurity architecture for all users, assets, and network devices that is based on Zero Trust principles and designed to prevent data breaches and limit internal lateral movement.
Enough definitions – let’s discuss the actual controls that you can implement to work towards a Zero Trust environment. Think of it as implementing layers of security controls that together will create that Zero Trust model. NIST 800-207 is a great standard to align to. You can find that standard by following this link:
Key Principles of Zero Trust
Zero Trust Pillars
By all accounts, implementing a Zero Trust architecture that aligns to the NIST 800-207 standard is not an easy or cheap thing to accomplish. What can the bargain shopper implement to work towards achieving a Zero Trust architecture through a layered approach to security?
Our industry has made great strides in establishing a Zero Trust approach to security. You may not be ready to implement a full scale Zero Trust architecture, but I really encourage you to start taking steps towards it. If you do not have any of the controls that we have discussed implemented within your organization, it is time to start planning for the future. Start with an assessment of the controls you have implemented and identify any risks that exist. It is very important that you understand that there are no wrong answers. Covering up or ignoring a risk can be ghastly and a great way to find yourself out of a job. Once you identify these risks or holes in your security, build a plan for how to remediate them. This may likely include assessing and budgeting for tools that align with the Zero Trust model. The team here at Compass IT Compliance lives by Zero Trust, implementing it within our own practice as well as assisting clients across various industries in implementing Zero Trust controls within their own organizations. Contact us today to learn more and discuss your unique situation!
These Related Stories