Putting technology first is the biggest mistake you can make with Zero Trust
Many vendors and cyber security professionals are relaying the view that zero-trust technology is now essential for organisations – large and small – to defend against current cyber threats in the context of the hybrid enterprise.
At high level, systematically verifying credentials every time an asset or a function is accessed by a user sounds like an over-engineered paradigm which flies in the face of defence-in-depth good practices which have prevailed for two decades i.e. the effective protection of the enterprise resulting from the layered application of controls at people (e.g. awareness training), process (e.g. monitoring and incident handling) and technology levels (e.g. logical access controls).
Having said that, given the size and complexity large enterprises have reached, their inherent dependency on digital interconnectivity across cloud-based ecosystems and supply chains, and their (also inherent) endemic inability to deliver across corporate silos on the most essential aspects of cyber security, a heightened degree of network security could make sense for some, at least for those that feel they have the capability to execute in that space.
But implementing any form of “zero-trust” platform remains a complex endeavour, and those focusing only on its technical dimension are missing the point in my opinion.
Fundamentally, mandating a degree of least privilege is as old as cyber security good practice, and in that context, “zero-trust” could be seen as a valid default position in theory, but taken at face value, it remains an unworkable one: For employees to do their jobs, they have to be trusted somehow to access the digital assets they need to perform their duties.
The direct consequence of that paradigm is that you will need to grant trust to your staff, and that it will have to be done against some form of authoritative source: Someone in your organisation will have to be accountable for deciding which employee is authorised (“trusted”) to access which asset (and to do what), and more importantly, which employee is no longer entitled to such access.
This is key: Any least privilege principle only makes sense coupled with a least retention privilege. Simply because people leave or change jobs, and sometimes those moves happen in good spirit, and sometimes, they don’t.
What we start to see emerging here, is the basis of a process, which is mostly technology- agnostic, and could well be in place and functioning in some ways in many organisations around existing logical access controls. But the more granular you make it, the more complex (and costly) it becomes to operate and maintain.
Behind this process lies the concept of an operating model because such process can only function rooted in a clear and accepted definition of accountabilities and responsibilities for all its players.
That’s where all “zero-trust” projects should start: By engaging with all stakeholders with the view of building the framework of an operating model acceptable to all.
That’s also where most of them fail when they put technology first, like many logical access controls or data loss prevention initiatives before them.
Putting technology first in those contexts is the biggest mistake you can make.
Those projects have to start process-first, identify all process stakeholders from the start, engage with them, explain to them the need for control, listen to their priorities and constraints, and build acceptance around their expectations of what is going to work for them, and what isn’t.
Cyber security leaders pushing those types of initiatives and facing stakeholders unwilling to accept or to understand the need for such level of control, have to ask themselves where this reluctance is coming from, and address without complacency those concerns which may be rooted in the failure of past projects in that space.
Success will come from asking stakeholders what will work for them and delivering on that basis; not telling them afterwards what they need to do, pushing down on them another layer of unwanted technology.
That type of technology-first approach only generates friction with stakeholders; it leads to frustration, rejection, and over time, a mountain of technical debt made of half-deployed solutions.
Zero-trust initiatives structured in that way, like all their predecessors, are simply heading for that pile.
All this also contributes to building the sentiment amongst business communities that cybersecurity is costly, complex and in the end, useless in the face of endless cyber-attacks.
This is perhaps the most dangerous aspect of it all.
Founder & CEO
Contact Corix Partners to find out more about developing a successful Cyber Security Practice for your business.
Corix Partners is a Boutique Management Consultancy Firm and Thought-Leadership Platform, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation & Governance challenges.
An edited version of this article was originally published on Forbes on 31st August 2022 and can be found here.