Zero Trust is Boring (and Why That's a Good Thing)
When you hear the word "cybersecurity," what comes to mind?
For many people, including myself, it conjures up images similar to the intense, high-stakes world portrayed in the American TV series, 24. In this show, a team of counter-terrorism experts races against time to prevent major terrorist attacks, often involving weapons of mass destruction. The tension is palpable and the adrenaline is pumping as both the terrorists and the counter-terrorists engage in a thrilling game of cat and mouse.
Popular accounts of cybersecurity often draw parallels to this dramatic portrayal, just with APTs, red/blue teaming, threat hunting, and vulnerabilities instead of guns and disguises. Once a hacker is discovered within a network, the cybersecurity team springs into action to protect valuable assets, detect the extent of an attack, and shut it down. While the consequences of failure in the cyber realm may not involve a mushroom cloud over New York City, the stakes are still significant. Hackers can cause considerable harm to organizations by stealing data, denying access to information, and even disrupting critical operations or infrastructure.
Certainly, there are situations where a swift and specialized response is necessary, like having a "cyber SWAT team" to deal with an active attack. However, living in a state of constant high-alert is not sustainable or conducive to productivity.
Imagine yourself at an airport, waiting for your flight. Dozens of SWAT officers armed with bomb-sniffing dogs and rifles patrol the terminal, stopping and checking individuals who fit a particular profile. They identify one person who appears suspicious, arrest them, and drag them away for interrogation.
Now imagine this scene repeats again and again - and this is just a typical Tuesday morning.
How is this a way to live?
Thankfully, airport security is not the Wild West. In the US, the Transportation Security Administration (TSA) has implemented standardized procedures. Rather than treating each security threat as unique, they have established a process for conducting security screenings that is practical and operational, scaling to over 2.5 million passengers per day.
It may not be thrilling, but it's intentional and effective. The SWAT team is still available, but doesn't have to be the first call. Moreover, when travelers understand what is expected of them, they can participate in making security screenings more efficient.
Access our comprehensive guide today and safeguard your organization's assets effectively
The concept of Zero Trust is often likened to airport security. Instead of passengers, individual network packets undergo security screening where each packet is checked, the identity of the sender is established, access to specific resources is authorized, and default restrictions are enforced blocking unauthorized access to resources.
But Zero Trust is like airport security in another way. It aims to create a routine and predictable security process that is policy-driven. Just as its real world counterpart, this security is boring - and effective.
Many organizations currently operate with a flat internal network, resembling the lawless Wild West. Few have established comprehensive security policies, leaving security teams unsure of who should have access to what and where to begin developing a policy.
However, this is not an excuse for inaction. Any policy is better than no policy at all. You can start by deploying policies in a detection mode to test their effectiveness before enforcing them. Tools like our CoIP® Platform even offer assisted policy creation, which suggests policies based on observed network flows.
Furthermore, taking an overlay approach to Zero Trust means that perfection is not required from day one. Just as the TSA continuously updates and improves their procedures to enhance security while streamlining the process (think TSA Pre-Check), you can continually fine-tune your policies to tighten security or leverage new technologies like passwordless authentication with a solution like CoIP Platform. And if mistakes happen, you can easily roll back changes or disable them—a safety valve that is challenging to achieve with traditional infrastructure-based network security.
The future of enterprise network security lies in a policy-driven approach. It's hard to fathom that in a few years, a Chief Information Officer (CIO) updating the Board of Directors would find it acceptable to say, "We have no policies for internal network access." CIOs and Chief Information Security Officers (CISOs) must consider how to make information security repeatable, scalable, and yes, even a bit boring. Zero Trust is the path to achieving this.