Partner of:
If you’ve taken a quick glance at the cybersecurity space lately, you’ll likely have noticed a plethora of companies that focus their marketing around statements that essentially add up to “Stop cybersecurity incidents by preventing attackers from getting in”. From the development of improved ways to scan files to blocking applications through banned hashes, the industry is laser focused on being the tool that prevents the most from getting in. This approach makes intuitive sense; why would you not want to prevent attackers from getting inside? The entire goal of cybersecurity is to reduce the risk of compromise, after all. But what if we took a step back and applied logic from a law enforcement perspective to protecting our valuable information?
.jpg)
As surprising as it may seem, methods police officers use to reduce crime have close parallels to how cybersecurity engineers work to reduce cyberattacks. Target hardening, a term used by law enforcement to describe installing preventative measures such as locks, is identical to system hardening done by cybersecurity engineers. Both deal with the prevention of crime (or cybersecurity threats) using controls. While both sides use preventive controls, there is a split in methodology when it comes to the relationship between trust of those prevention mechanisms and what happens when criminals get in. Law enforcement recommends locks on doors but understands they will fail. In fact, the house being entered is part of the response for a home invasion; once entered, the new goal is to prevent the criminal from getting away with it. Cybersecurity tools generally rely on only the locks, and don’t have a game plan if a house is broken into. The cybersecurity industry has an inherent trust in the preventative tools and their capability to prevent attackers from getting inside the house, and as a result formed an opposition keen on finding ways around the locks that are in place. However, if you rethink the way you value the house, it isn’t the house being entered that poses risk of your possessions being stolen; it’s the possessions themselves being taken.
.jpg)
Enter the idea of Zero Trust for the cybersecurity industry. Based on 7 key tenants, it can be summarized as steps that an organization can take to ensure that no asset or security control is inherently trusted, even if it has what would have conventionally been adequate security controls installed such as door locks. The phrase roughly translates to zero meaning no asset or attestation, and trust meaning the scope of abilities those identities can have based on whom they say they are – Zero Trust (in the identity). In practice, its operation ensures that even if a security control - such as the lock that was supposed to protect the house - is broken, it has been anticipated that it will fail and any valuables are still out of reach. The advantage of Zero Trust is that it asks the user to verify who they are each time they try and put the diamond necklace around their neck, regardless of if they are the criminal breaking in through the attic or the homeowner who walked through the front door. Many are familiar with multi-factor authentication which is used to verify identities on login; it is the same concept pared down and applied to the virtual front-door of the cloud app. Even if you know the password, you still must prove who you are with something you have. While Zero Trust is no doubt secure, it presents a usability risk. The homeowner doesn’t want to MFA every time they put on their necklace to go out on the town. If they are required to, they may stop putting on the necklace or become numb to the act of confirmation.
In this scenario, the concept of continual evaluation of access comes into play to help alleviate the stringent requirements of Zero Trust. They may be required to MFA the first time they put it on, but now, each subsequent time they put it on they are analyzed for their eye color, hair color, or fingerprint. If they dramatically change their hairstyle (think going to work from a new coffee shop out of town), they are required to MFA again to prove who they are. By combining Zero Trust access and continuous validation, we can create an access system that steps away from complete prevention of obvious break-ins, assumes the house is always being broken into, and focuses on protecting the valuables themselves.
This illustration explains the paradigm shift that is happening to have secure and useable systems under Zero Trust. We need to step away from having the biggest locks on the door – think your passwords or VPN access – and step into continuously evaluating if someone should have, or continue to have, access to the necklace. Just as law enforcement understands they can’t prevent every break-in, cybersecurity professionals can benefit from accepting this and hiring principals of Zero Trust as their version of a light speed, always on-call deputy.
· Law enforcement understands not every threat can be prevented.
· Cybersecurity can benefit from not relying solely on the "locks" such as passwords or VPN's.
· Zero Trust principals can function as on call, light-speed deputy to stop unauthorized activity.
Copyright © 2022 Security Connections. All rights reserved.
