Peter Drucker, the management guru who has been described as “the founder of modern management,” is often credited with the quote “culture eats strategy for breakfast.” When it comes to Zero Trust, that quote – no matter who actually said it – is especially prescient.
Some organizations (not enough in this author’s opinion) have begun the journey to achieve a Zero Trust architecture. The word journey is used purposefully, as Zero Trust is not just about buying products or services. While many security vendors will tell you that they help an enterprise achieve Zero Trust with their products and services, there is much more to the journey to Zero Trust than technology.
Zero Trust Basics
In 2018, work undertaken in the United States by cybersecurity researchers at NIST and NCCoE led to the publication of SP 800-207, Zero Trust Architecture. The publication defines Zero Trust as a collection of concepts and ideas designed to reduce the uncertainty in enforcing accurate, per-request access decisions in information systems and services in the face of a network viewed as compromised. A Zero Trust architecture is an enterprise’s cyber security plan that utilizes Zero Trust concepts and encompasses component relationships, workflow planning, and access policies. Therefore, a Zero Trust enterprise is the network infrastructure (physical and virtual) and operational policies that are in place for an enterprise as an outcome of a Zero Trust architecture plan.
Zero Trust can also be viewed as the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources.
No matter how you look at it, the main concept behind the Zero Trust security model is “never trust, always verify.” Zero Trust is about identifying who you are, where you are, and what you are trying or allowed to do.
Culture is as Important as Technology
Many security vendors will tell you that their products will help get an enterprise to a Zero Trust architecture. While that may be true from a technology perspective, there is much more to achieving Zero Trust than just the technology.
Zero trust is as much about culture as it is about technology or products. The “culture eats strategy for breakfast” quote means that no matter how strong your strategic plan is, its efficacy will be held back by members of your team if they don’t share the proper culture and aren’t aligned on the vision. When it comes down to it, the people implementing the plan are the ones that make all the difference.
The Need for Collaboration
The information technology (IT) assets that are integral to implementing Zero Trust include security systems, servers, applications, databases, IP telephony, contact centers, cloud services, Software as a Service providers, and the network that ties all these components together. These assets are often managed separately by teams within the enterprise they support. While most of these assets fall under the CIO, in many cases, the security of these assets falls under the purview of the CISO – who may or may not report to the CIO.
These organizational silos often create artificial boundaries that impede progress on the Zero Trust journey, as the separate teams supporting disparate technologies are not incented to collaborate on security solutions. Certainly, not ones that are as far reaching as Zero Trust.
Think about it this way: technology assets are usually under the purview of IT. Audit, compliance, and risk are usually completely outside of IT. Who, then, is responsible for achieving Zero Trust?
Understanding the processes that play a role in Zero Trust is equally important. Are all of the devices in your infrastructure running the latest version of the vendors’ software? What is the patch cadence for all of the organization’s devices? Does your IT organization have embedded processes to make sure that the protection provided by the vendors is installed across your infrastructure? And are those processes being followed? When there aren’t clear or well-adopted policies around IT and security, the most basic parts of security hygiene are often overlooked – regularly applying security patches and managing configurations. Automation can play an important role here, but it is challenging to automate processes that are not well defined and followed.
Culture and People
In addition to the technology and processes across your organization, do the people across the company understand their role in achieving Zero Trust? Do you train against phishing? Do you have regular process improvement workshops to focus on evolving your people as your processes evolve? Most importantly, do your end-users and customers understand your Zero Trust architecture and processes so that they know what is expected of them, and what to do if they detect anomalous behaviors?
Which technology is chosen to be part of the Zero Trust architecture is very important. Solutions that have standardized APIs that are open and well-documented will lend themselves better to automation and orchestration. Even with the many products touting security, it is possible to select best-in-breed components that support an architectural approach to implementing Zero Trust. Taking a security-by-design approach to selecting products will help you select products that can be integrated and lend themselves to automation.
Picking industry leaders in security technologies is a good practice, however, it is important to make sure those vendors are active in standards bodies, and that their APIs are well-documented and published.
It is even more important that the vendors you select recognize the people, process, and technology components of a Zero Trust architecture, and have developed their products to support all three aspects.
Zero Trust is a journey, not a destination. The journey begins with the recognition that technology is not enough. People (read culture), process, and technology are the three legs of the Zero Trust stool, and all must be addressed.
As pointed out in the beginning of this article, culture eats strategy for breakfast. If your organization doesn’t embrace the people and process aspects of Zero Trust, no amount of technology will help achieve that goal, and organizational inertia will prevent attaining Zero Trust.
How do you go about implementing a Zero Trust architecture? Most importantly, remember that people, process, and technology are equally important to completing this journey. Begin with the basics. Develop an architecture that supports all three aspects and build roadmaps to make sure that all three are included, implemented, and have a lifecycle to them. Zero Trust is not a destination, it is a journey.