I think I've reached the conclusion that if I haven't annoyed at least 5% (arbitrary figure) of my audience when talking about Zero Trust then I haven't done my job properly. Too many competing definitions, too many strongly held sacred beliefs. Naturally the next step is to see how many folks I can annoy on the Internet :). So, definitions for starters - I use NIST SP800-207 and the CISA ZT Maturity Model (now at v2) as my baseline. Vendor-agnostic. Analyst-agnostic. Wide in scope. Great fun for annoying folks who insist that ZT is purely focused on Identity or the Network*. I do then try to simplify the topic:
⁌ every access request starts from a position of zero trust (applies to all entities - humans, devices, services)
⁌ authorisation is granted based on dynamic context (risk-based)**, ideally per request
⁌ assume breach - of user ID (including machine or application service ID), access device, transport network.
What does this give you? Well, you've done away with the arbitrary distinction between "inside" and "outside". You now need to do something about those legacy flat networks. Reduce your blast radius! You can also now give your users access to the business applications they need, wherever they (or those business applications) may be located.
You've also now got to do something about your machine (OT, IoT) and workload (VMs, cloud instances, containers, applications) entities so that a compromise of such entities doesn't mean easy traversal.
You're assuming breach, this means you should be embedding observability into your in-house developed apps and configuring everything else to generate the signals you need to automate and orchestrate those dynamic authorisation decisions.
In short, improved access for legitimate users, dynamic per request authorisation based on current context (including risk) for all entities and better visibility across your IT ecosystem, enabling faster detection and response.
I'm not sure why delivering those security outcomes remains a little controversial. Perhaps Zero Trust is just another one of those labels (like cloud) that rubs folks up the wrong way. Look past the label. Oh, and don't get too attached to specific definitions. Except the ones I like. Those ones are fine. 😇
*both key pillars to be sure, but not the sole focus.
**dynamic context - which is why your network microsegmentation is not really Zero Trust.
No comments:
Post a Comment