In this Help Net Security interview, Phil Vachon, Head of Infrastructure in the Office of the CTO at Bloomberg, discusses the varying definitions of zero trust among security professionals and companies, emphasizing its broad design philosophy.
Vachon explores challenges in implementing zero trust, distinguishing between user-end and back-end infrastructure integration.
Treat your internal services like they are out on the open internet, and design the controls around them accordingly.
Zero trust is a design philosophy that applies to every facet of an enterprise's IT estate - from the laptops and desktops that employees use to do their jobs, right through to the servers or public cloud infrastructure used to deliver services to customers.
How you approach a zero trust implementation is very different in each of these scenarios - and implementers and architects in those domains will have different take-aways based on the implementation of controls needed for the environment they focus on.
The implementation of this design philosophy varies so widely from firm-to-firm.
Because of vendors crowding into the space and using zero trust as a marketing buzzword - and the wide design space in general - implementations and products muddied the waters about what zero trust is all about.
Finally, zero trust in an enterprise is the adoption of a design philosophy and architectural concepts - not as a particular goal as a part of a project or existing initiative.
These philosophies impact your decisions about IT service offerings, changing how you design and deliver solutions for your internal customers.
Lack of executive buy-in due to the mistaken perception that this is overly expensive - Infrastructure is regularly ignored because of the perception of low ROI/high TCO. Lack of executive understanding of firm-level risk tolerance needed to make changes to how the company does business today.
One good back of the napkin metric in evaluating a firm's adoption of these design principles is to first look at its internal policies and risk tolerance definitions.
When the firm has policies that define identity management, authentication practices, as well as data protection/data security policies that advocate the above design principles, they're well on the way.
To me, it's amazing how many enterprises often leave these things as an implementation detail, rather than focusing on how they can become enablers for execution and consistency.
Of course, there are other signs that a company is headed the right direction - how much they've focused on scaling their IT estate implementation on automation-first approaches, a capability/intent-focused mechanism to reason around permissions, frequent reassessment of privileges, as well as a strong decommissioning process.
Another easy metric: in your inventory, figure out how many sites are using SSO vs. some home-grown authentication vs. no authentication whatsoever.
Having good design patterns for protecting both green fields and legacy systems is also a good maturity indicator.
Treat your zero trust initiatives as product lifecycles - and don't commingle your end user, remote access, and data center/public cloud initiatives.
Giving people an ideal state, while having some backups can help build credibility for how the project is keeping business moving, while also improving the firm's overall security posture.
Remember that you are taking the first step on a long journey toward a design philosophy.
The destination is a state where you are able to focus on continual process improvement and user enablement, and ensure new capabilities that enable everyone across the business to use the same set of design principles.
This Cyber News was published on www.helpnetsecurity.com. Publication date: Tue, 09 Jan 2024 05:43:07 +0000