Zero Trust Tenants

Breaking Into Cybersecurity - A podcast by Christophe Foulon

What is Zero Trust? Zero Trust is a cybersecurity concept that suggests that organizations should not automatically trust any user, device, or network, even if they are inside the network perimeter. Instead, all access to resources should be strictly controlled and verified based on the principle of least privilege. The idea behind Zero Trust is that traditional network security models, which rely on perimeter defenses to keep out external threats, are no longer sufficient in today’s connected world. With the proliferation of mobile devices and cloud services, it is increasingly difficult to define a clear perimeter, and attackers can easily gain access to an organization’s networks and systems from within. By adopting a Zero Trust approach, organizations can better protect themselves against these types of attacks. Instead of relying on perimeter defenses, they can implement granular access controls that are based on the specific actions and resources a user is trying to access. This can help prevent unauthorized access and reduce the risk of a security breach. With all of the huff and puff around Zero Trust, it is frustrating when vendors claim that their product is a Zero Trust “Solution.” For example, in a post this morning, a connection of mine shared some of the technical solutions to help achieve a Zero Trust approach but skipped the first steps of the Zero Trust Design Principles. According to the Zero Trust Principles by John Kindervag, you start with the following:* Define the protect surface (which you need to work with the business to understand the critical things to watch) -> There will be more than one “protect surface” and potentially more than one “protect surface” for a given business application * Map the transaction flows (which means understanding the business processes, how they flow, and they can be best designed considering any constraints) ->Look at What needs to be protected, Who needs access, When they need access, and Why they need access.* Architect a Zero Trust environment ( which means combining the protect surface, transactions flow, and an environment that includes access zero open access to people/systems that do not need access)* Create Zero Trust Policies (the formal design, governance, playbooks, incident response, etc., which will determine the way the systems are created)* Monitor and maintain (which ensures that the Zero Trust policies are managed, enforced, and continue to function in the manner designed, if not, the process for that protected surface should be re-designed). As you can see, Zero Trust is a design strategy that leads to something that can be managed and measured. Adding tools to the stack will not equal a Zero Trust environment if the protect surfaces and transaction flows are not designed with Zero Trust in mind. Zero Trust Design PrinciplesZero Trust Principles by John Kindervag --- Send in a voice message: https://podcasters.spotify.com/pod/show/breakingintocybersecurity/message