I have been thinking about how to present zero trust, and “always verifying” is silly: Bouncers “never trust and always verify,” but that doesn’t stop bar fights or drunks!
Zero trust aims to create a uniform, restricted protected IT architecture that protects the data. It is all about protecting the data.
Where do you start on the zero trust journey?
The way you start to build a zero trust architecture is to work with the three horizontal pillars to define and restrict the protected surfaces around the data. If you can break into my IT architecture but cannot get to the data, I win; I’m not happy, but I still won. The answer is to reduce the protected surface for the data. Smaller is easier to manage and protect.
A story about a baby
Imagine you have been given the task of babysitting the three-month-old this afternoon during one of the biggest football games for your team. The girls are all going shopping and will be back in two hours.
Reduce the protective surface area (the house and pets) to the coffee table in front of the TV.
Now you can watch the game (your mission) on the TV behind the coffee table and the baby (the data) in the baby car chair on the coffee table itself. Now you have total observation of the baby (data) and game (mission) on the protected area: the coffee table.
Lock the dog in the bedroom and the cat in the bathroom, reducing the size of the protect area.
Have chips, drinks and food on the coffee table for the game, reducing network traffic to and from the kitchen.
Have a bottle for the baby and administer the bottle when the wife leaves the house (annexed-protected area), offering reduced access, application, device and network traffic.
Have a drink, watch the baby sleep, enjoy the game.
What happens when the protected area expands
The game is down to the last 50 seconds, and it is touchdown time, or the season is over for your team.
The doorbell rings; the dog starts barking, the cat starts howling, and the baby wakes up and starts screaming.
Your team takes a timeout with 30 yards to go and 30 seconds on the clock.
The wife walks in and lets the dog out, which charges the coffee table and eats your lunch.
The wife starts yelling at you for not watching the baby and turns off the TV!
While your wife moves the baby to the kitchen, still yelling at you, you turn on the TV.
The old bald man on the TV is saying he “never saw a play like that.” Like what?
Bottom line: When you cannot control the protected area around the data, you cannot have a zero trust architecture. Game over.
Zero trust is about controlling the protected surface to protect the data. The goal is to reduce the size of the protected surface to reduce the risk to the data and make it easier to manage the protected area. Start with:
Visibility and analytics – Baby in the car seat on the coffee table.
Automation and orchestration – The surface area to protect is the coffee table; all impediments have been removed from access, including dog and cat.
Governance – Total visibility of game and baby.
Failure is when the protected surface changes and the architecture cannot cope with the changes. One very large change agent is the cloud. The discipline of zero trust assumes you know where everything is from the start. One example is that the mainframe never dies. Even with open systems and cloud, the mainframe still exists, and you use it every day for every credit card transaction at all the big box stores, banks, airlines – there are a lot of babies that enterprises want to protect.
Like it or not, a key benefit of a mainframe is you know where everything is, and the protect surface is known. In the US, 70% of structured data is still in the mainframe, and 95% of banks still run mainframes. It is not about the mainframe but the control of the data that precludes migration to open architectures. The more open your architecture, the larger the zero trust protection area that you need to manage. That raises the question of what just happened to your lunch. It’s about all IT resources on-site or in the cloud allowing users to expand the IT surface, increasing the risk to the baby.
Cloud needs to be a utility, not an enhanced service. You need bare metal servers that you administer to create the coffee table. Share the baby with no one: You can control the data, applications, network, devices and identity in the cloud. When you look at the Cybersecurity and Infrastructure Security Agency’s Cybersecurity Maturity Model, you can see how thinking about “protecting the baby (data)” plays out:
The single source of truth needs to be a secure architecture where you are assured that you know where the baby is at all times, that the baby is protected at all times, that the baby can grow and expand in healthy ways. Granted, the baby will sometimes get sick and cry, but as the IT professionals we are responsible for the nurturing of the baby; that is zero trust. Does this cost more? Yes, but it is a baby. As a manager, the question to start the day is do we know where the baby is and what it is doing? If you don’t know the answer to that question, your lunch just went missing, and you have lost your enterprise, which is the greater tragedy.