Trust but Verify: Why You Should Have A Spotter For Zero Trust
We know you’ve heard of Zero Trust, and our guess is you’re somewhere between curious, confused, and excited about its potential. But – and here’s the Inception moment – have you ever heard of zero trust for your Zero Trust? We’ll let that sink in.
As organizations rush to build out a Zero Trust environment, from buttons to brass doorknobs, how many stop to gap check? How many are aware that the finished product may not be fully foolproof? Perhaps not enough. We’ll investigate this policy, why it’s so great, and what its limitations are. Then you’ll know why it’s best to “trust but verify.”
What does Zero Trust mean?
First, let’s hammer out some basics: Zero Trust is not a specific product. Take it from Neil MacDonald, Gartner Distinguished VP Analyst, when he says “Zero trust is a way of thinking, not a specific technology or architecture…It’s really about zero implicit trust, as that’s what we want to get rid of.”
That being said, there are many Zero Trust product categories – and therefore acronyms – gaining steam in the industry right now. For example, one of the newest is ZTNA: The Gartner definition of ZTNA – full name Zero Trust Network Access – is “a product or service that creates an identity- and context-based, logical access boundary around an application or set of applications,” for the ultimate purpose of “remov[ing] application assets from public visibility and significantly reduc[ing] the surface area for attack.”
And that’s totally different than good ol’ Zero Trust Access (ZTA) products, which focus helping administrators manage users’ access to network devices, but the spirit is the same: You only get to see what you’re supposed to see.
To this end, we’ve all been the one spearheading the Zero Trust push in our own IT departments (“I’ve been talking about this for years”), and it’s all systems go. But is it? How segmented are your network resources, really? How often do you verify or test your role-based permissions and PAM policies? Products roll out all the time, after multiple layers of testing and myriad quality checks, only to have patches released two months later. It happens.
But when you’re facing down an unprecedented onslaught of ransomware strains, RansomOps and APTs, it’s nice to have that not happen. And it’s nice to have a way of being sure the Zero Trust strategy you’re touting to anyone that’ll listen is as airtight as you think.
To give some context on what could go wrong, let’s explore some of the limitations of Zero Trust.
Limitations and Challenges to Zero Trust
First of all, let’s clear the air. A fully implemented Zero Trust architecture is certainly a worthy goal and it’s becoming the gold standard for network security and cyber hygiene. But, like anything that has human fingers in it, it’s subject to errors, misconfigurations, and a few other weak spots to watch out for. TechTarget lists three additional challenges:
- Piecemeal adoption. It’s all or nothing in a Zero Trust strategy, or else you’re left with “some trust,” aren’t you? You’ve got to go through phases before the transformation is complete, however, so just beware of how you frame it before it’s done. As TechTarget warns, “gaps or cracks may develop that make zero trust less ironclad than advertised.”
- Going the distance. A ground-up overhaul of your architecture to Zero Trust takes ongoing commitment, consistency and administration. Make sure someone’s there to pass the torch when your System Admin or CISO goes on maternity leave, or your most avid implementor switches to the home office. It also takes constant hygiene and training – update access controls whenever someone leaves and keep permissions up to date. That’s what really puts the “zero” in Zero Trust, and the job is demanding. If not, your data is in jeopardy during the gaps.
- Staying productive. Let’s not let Zero Trust be an end unto itself. The whole point is to continue to work at the breakneck speed you’re currently at (thanks, DevOps) while doing it safely. Zero Trust should not only be seamless, but elegant and not make daily functions grind to a halt. We are teams that do work safely, not teams that do safety for the sake of it. Plus, if obtuse ZTNA and ZTA practices are to blame for loss of productivity, you’ll lose buy-in for the whole thing. (See the Golden Vector for more on that.)
With so much to balance, gaps are inevitable. As Gartner states, “A complete zero trust security posture may never be fully achieved, but specific initiatives can be undertaken.” We’ve got the initiatives down – but what can be done about the “never fully achieved” part, and how can we see around those corners?
Mind the Gap: Sentinel is your safety net for zero trust
It helps to have a spotter: an extra set of eyes, another pair of boots on the ground, someone to watch your back. Someone, really, who’s not so close to your Zero Trust implementation that they can’t see the flaws. That’s us.
We’ll (politely) bring in our expertise, and give you independent visibility into the network traffic, to see how ‘Zero Trust’ it really is – then help you with solutions on how to shore it up, if you’d like. We’ve seen it before through CIS controls implementations: Our tools acting as a safety net as you make the transition fully into your new architecture, policies and technologies.
Find out how Sentinel can help you watch your Zero Trust blind spots.
Ted has worked with network security and web technologies for almost 30 years, beginning his career as a full-stack web engineer and transitioning to network security. He now guides Nomic and its supporting initiatives, including CINS Active Threat Intelligence.