I subscribe to a lot of lists. All kinds of lists, actually, but of course, I subscribe to a lot of the “security” lists out there to see what people are talking about and keep up to date with things—just like you do.
However, I’m seeing an uptick in the “Zero Trust” phrase in the emails I get, and I’d like to take today’s piece and pretty-much call BS on the way it’s being positioned as a) something new and different and b) something that’s going to solve all your problems.
“Oh….I get it. We just don’t trust the network! Of course!” cried the masses—right before they were incinerated by the 40-foot Guardians of Sanity with the flaming blue hair.
Now, as you may or may not know, I don’t really care about the control implementations that much. It’s too hard to keep up with the latest point-release of some vendor doing something AMAZING that’s really just a rehash or a combination of two things they used to sell as a separate product and put them all together.
That doesn’t mean I’m anti-technology. Far from it.
However, one of the things that you (should) learn about security as your hair gets grayer is that the tech is about 10% of the solution. And if you think otherwise, you’re pretty-much guaranteed to get a rude awakening.
And that rude awakening may-or-may not start the path to the part where someone shouts, “And don’t let the door hit you in the ass on the way out!”
Recently, my friend and one of my mentors John Sherwood called BS on the “zero trust” fad over in his Attributer blog at the SABSA Institute in his own way. If you haven’t seen it, it’s worth a read, and pretty-much, the Emperor is as Naked as you’d expect from a concept dreamt up by an analyst looking for a new buzzword to remain “top of mind” and “relevant.”
So, yes, the way it’s being pitched and sold, it’s all about the network. And not only that, it’s about once again trying to position the network as the security savior of the organization, because, well, that’s how all those little critters in your enterprise are connected after all.
If we can just fix the way they’re connected, then Bob’s your uncle, and we’re all out of a job.
Poppycock-poop-in-a-bowl-with-sugar-sprinkles-on-top!
Giving the network technology control or responsibility for your security is like leaving your 4-year-old with Jim Jones as a baby-sitter while you go out for a few drinks after work.
It really won’t ever end well.
It’s just not the right job for the right tool.
Sure, it might not be clear to a lot of people why this is the case, but that’s why you really need to upgrade your understanding of security governance and make risk a first-class playing in the way you think about the game.
The irony here is that “zero trust” the real concept is basically nothing more than requiring *appropriate* authorization before you access a given resource.
While this sounds simple, based on the way we’ve let technology infrastructure grow like kudzu in many (most?) organizations, it’s damn-near impossible to sort out without a lot of work.
Why is it so hard?
Because while there’s ALWAYS an architecture of your organization – and even your security controls – in 99% of the cases, it’s emergent rather than planned.
And it isn’t the good side of emergent. It’s the scarred-face of Harvey Dent side of the story that we’re generally seeing with the organizations we support.
So, if you just let infrastructure grow, you have no real idea of the nature of the risks the organization faces and how that reflects on a set of categories of what you have and what you do, you’re pretty much left with the option everyone else has been using forever.
A warm and chewy inside surrounded by a hard crispy shell.
Which works fine for catapults, but then they dig under the walls—or have dragons, or wizards, or teleportation or a million other things nobody really considered because it was pitched in the “too hard; not enough time” bucket.
And the second level of irony here is that if you apply the SABSA principles correctly, then you actually do create these categories of critters in your environment, and you do identify the interactions between them so you make the CONSCIOUS CHOICE about the level and location of where the access control takes place.
So, applying SABSA correctly can actually give you the isolation and “zero trust” concept you’re after…
But, it ain’t at the network level, kiddo.
All this to provide a brief warning to people getting ready to invest heavily in “Zero Trust” whatever: it probably won’t help you…
…at least the way you’re likely to go about it.
To do what it intends, you have to think differently about what you’re doing. You need a security architecture that works, and you need to understand the business and the nature of the things that you’re managing so you can get leverage by classification, not trying to solve problems at the level of individual endpoints and serial numbers.
That’s the path to no hair, your teeth falling out, impotence and insanity.
Sooooo…..
If that doesn’t particularly appeal to you, but you want to address the problem properly, then let’s talk. Join the Security Leadership coaching program. Work with us on a dedicated architecture engagement, or at least let’s have a conversation about what you’re thinking about doing before you sign that next magic control PO.
Go here—right now: https://archistry.com/go/SecurityLeader.
I don’t want you to end up spending your money and still getting screwed when it doesn’t work.
It’s like the ad that says “Buy this Ferrari 308. Only $2,999. One owner,” and when you go to pick it up, someone hands you the limited edition Hot Wheels “Magnum P.I.” toy when you thought you were going to be able to drive it home.
You’re going to be disappointed.
And not only will you be disappointed, but you’re going to have created yet another problem to solve.
We do what we do to help you succeed. If that means working with you, then that’s super. If it means you read this stuff and it helps prevent you jumping off a cliff based on slick, modern-day snake-oil tactics, then more the better.
I really can help if you let me.
What do you say? Are you ready to build a better security program?
Here’s that link again: https://archistry.com/go/SecurityLeader
ast
—
Andrew S. Townley
Archistry Chief Executive
P.S. And I know I’ve said this before, but I don’t want you to miss this chance. The days are peeling off my calendar, and when we get to the end of the month, you’ll never see this offer this way again.
P.P.S. Oh, and if you’re thinking that you don’t have time a 15 minute call with me or that the program can’t help you, then I KNOW there’s value we can add. That’s why I guarantee results or I pay you.
