Zero Trust Security – The Cultural Discussion

Thursday, October 28, 2010

PCI Guru


There is a great motto on the SR-71 Blackbird flight crew badges, “In God we trust, all others we verify.” 

John Kindervag of Forrester Research has written a paper titled ‘No More Chewy Centers: Introducing The Zero Trust Model Of Information Security’ that takes this motto into the information security realm. 

The premise of this paper is what if you treat everything as untrusted on your network, internal or external?  This paper is a great read and is worth the cost to obtain a copy.

This concept may sound a bit extreme and, for some, may even seem an odd approach.  But you have to ask yourself, can you really trust all of your users?  And that is exactly the point John is making. 

He points to 26 data security breaches in the first half of 2010 that were the result of “trusted” personnel deliberately or accidentally releasing information. 

John’s advice, if you cannot trust your users, then you need to treat them and their network traffic as untrusted.

As a security professional, this approach sounds appropriate given today’s computing environment.  However, as a former senior IT executive, I have to say it sends chills down my spine. 

For what this approach requires is that you tell your employees that they cannot be trusted. 

If that does not scare the daylights out of you, it will sure scare it out of your human resources executives and probably a few, if not all, of the rest of your senior managers.

Then there is the process of selling such an approach.  And let us face it; it will be quite a sales job to get such an approach sold to senior management. 

To exacerbate this process, surveys of senior managers portray security professionals as being too technical and cannot explain why security is necessary in business terms. 

With that sort of disconnect, the concept of Zero Trust is going to be almost impossible for most security professionals to sell to their organizations. 

In my opinion, the only way such an approach will ever be implemented is if it is suggested and driven by senior management, not IT or information security.

Then there is the fact that Zero Trust is not going to totally solve the security problem.  Remember my mantra, security is not perfect. 

Zero Trust is only going to minimize risk, but it is likely to minimize it to the absolute minimum it can be reduced. 

Senior managers are going to be skeptical about spending the money it will take to get to this level. 

However, for the financial institution and health care industries, the cost will be worth the peace of mind. 

Other industries will likely struggle with justifying the expense.  But in the end, I think this is probably the only route to as secure an environment as one can have.

In a future post, I will discuss the technological ramifications of Zero Trust.

Cross-posted from PCI Guru

Possibly Related Articles:
Policy Data Loss Prevention Trust
Post Rating I Like this!
Dierdre Mullins I don't see why you would need to announce to the employees that they aren't trusted. Don't smart security professionals already assume that (a) no one can be trusted and (b) all networks are dirty?

How does informing users that they are untrusted help?
Terry Perkins Great post! I wish I could read the whole article.

@Dierdre... excellent point. We just have never been open about it.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.