Zeroing in on 0 Trust
0 Trust is a different kind of trust, though - not the human kind. As it turns out, there is good trust and bad trust. Naive trust and deserved trust. And in cyberspace, where all interconnected technology can be used for good or bad, 0 Trust is a reflection of just how wary we need to be in response to the cyber threats we are faced with today.
Like many other trends we have investigated before, it is not a new concept, and was apparently coined by Forrester in 2010. It is fundamentally based on trust should not be assumed, but earned.
A simple analogy would be how we commonly construct our house and gardens. Many people have no front gates and are willing to let anyone access their garden. However, access to the house is protected (through locks, cameras and alarms), and access to your most important possessions is probably further protected by a safe. Only to those who you know and really trust would you give access to everything - certainly not an unknown visitor.
Can we get below 0?
As you might imagine, in the world of computers, 0 Trust has everything to do with identifying users and devices and consistently and constantly verifying that they are still who you have identified them to be whilst they move through your IT environment and get access to more and more critical data or services.
Roles and responsibilities are also very narrowly defined. It clearly has strong linkages to Identity and Access Management. However, it is more of a philosophy, strategy or framework, rather than a single technology. It also appears, like with other meta trends such as web3 and the Metaverse, the actual thinking around this domain hasn't fully crystallised. There are varying interpretations of what 0 Trust means out there.
The 0 Trust paradigm makes a lot of sense but, in practice, it can be challenging and complex to put into practice, often requiring a complex set of solutions. Many suppliers deliver one or more elements of a 0 Trust solution (such as identity governance, access management, mobile device management, next-generation firewalls and security monitoring) but not all, and therefore need to operate together to enable a 0 Trust strategy. Another main driver of the complexity is that there just isn’t a lot of precedent regarding how to best operationalise 0 Trust and even standards don’t always exist or converge, making this a hard job.
Contemporaneous heterogenous IT architectures have many technology solutions involved. Further, different parts of an organisation may use different platforms, especially due to mergers and acquisitions. Also, some organisations looking at 0 Trust may be in the middle of their digital transformation journey. Along with the applications and platforms for IT management and cyber security specifically, each may hold data that is relevant and in scope for your 0 Trust strategy.
All of this implies that, in most cases, there cannot be a pure ‘best of suite’ approach in procuring everything that an organisation needs from one sole vendor to operationalise a 0 Trust strategy. Therefore, no matter which 0 Trust school of thought you belong to, integrations play a key part in pulling together all the accurate data for the policy enforcement points to ingest.
Thankfully, security technologies are recognising the need for ‘best of breed’ solutions to be able to work together, so many vendors are moving to supporting open APIs. This enables platforms like Harmonizer to do their job and pull data in from wherever needed.
So what is the 0 Trust dream? The ideal world looks like this: a centrally controlled service governed by appropriate policies. It should be monitored and audited by the collective information set of logs and other information around data and IT assets, users and associated workflows.
This is where we see a role for ourselves, in facilitating the process of centralising information collection into the most appropriate platform, at the most appropriate level and in the best way to drive actionable cyber security insights relevant to those managing the 0 Trust strategy.
Some concrete use cases for consideration
For some further insights into how this works in practice, we share some live use cases below that are relevant to the 0 Trust strategy space
- Onboarding & provisioning: Integrate the Human Resources system with your Active Directory and provision users within internal applications. This enables central application of granular access policies / access matrices)
- Automated User Access Review: Read and consolidate access data for line manager review, create workflows and schedule tasks
- Centralised risk reporting, including on those elements most relevant to your 0 Trust strategy: Automating the collection and reporting of control effectiveness & compliance data into risk reporting platform from diverse security technologies, creating dashboards with actionable insights
- Platforms for Compliance as a Service (CaaS): Automate the ingestion of information required to dynamically measure and report on compliance with any regulation or standard.
Even before considering elevating from a more traditional cyber security paradigm to 0 Trust, we all know that cyber security is a complex problem requiring investment in controls across people, processes and technology - as such, unfortunately, no one technological tool is a "silver bullet".
The more your cyber security tools can share information (including contextual and preferably dynamically) between them, the better position you are in to defend yourselves from / react to the constant cyber threats we all face, and to avoid trusting anyone that doesn’t deserve it.
Whilst some existing tools may 'talk' with each other via their APIs, in our experience data transformations (including aggregations) are often required to achieve optimal results. If nothing else, the suite of tools supporting your 0 Trust architecture (even if provided by a single vendor) needs to be fed other data from many other sources within the organisation, in order to do a good job.
Reach out to discuss your unique scenario or integration requirement with us - a conversation with us is always free of charge!
Photo by Jannis Lucas on Unsplash