Shiraz's Home

Musings on Zero Trust

Zero trust misunderstandings; thanks vendors, analysts and history.
18 months I’ve been talking about the new world of ZT, no surprises on the trigger (c-19), this is what I’ve learnt so far.
The initial conversations led me to believe there’s a misunderstanding on the terminology, today there's still a misunderstanding (thanks vendors, analysts and history).
I always start with these slides, it gives me and everyone else permission to be wrong.
notion image
I don’t think anyone really cares of the many differing routes to achieve ZT, the aim is to find what Zero Trust could mean for you (customers) today and later in the future.
So what have I learnt from conversations over the last 18 months?
I’ve learnt I really dislike the idea of radical ground up solutions that often put customers on the path of a complete rip/ replace, no one wants this, this practice should have died with the dot-com bubble.
Lesson one, leverage what you have, the critical components of Zero Trust are likely already in your Network, FWs, Federated Authentication, EPPs and Agents that might be lying around, fully paid for an in-support.
Next, as always, figure out what needs protecting, put a dollar value on the loss, breech or underground re-sell value of your most important, revenue generating, mission critical data.
Third, plan and build a ZT strategy to protect THAT data. Use, 2FA, Complex Password, EPP polices, FWs and...wait for it, good ‘Info Security Hygiene’. This typically means someone reviews and tightens AD security policies/ controls.
Fourth, figure out the hosts and systems and networks that can connect to your most mission critical data (from steptwo). This exercise often leads to the ‘uh-oh’ moment, but it’s normally free to fix, cut it or auto-patch it!
OK, now go ahead and talk to vendors a little more, How can I police connections, who is connecting, from where and how and then continuously evaluate THOSE connections. Ideally you want to be in a position to assume guilt, for every session.
Whatever you do, don't entertain conversations that will lure you towards buying the ZT bus, with ZT you literally have to measure thrice and cut once, and that 'cut once' should be an iterative steps over a course of time, allowing you to assess each building block over time.