Are we getting Zero Trust wrong?

Are we getting Zero Trust wrong?

During my Masters Thesis research, I’ve come to the conclusion that the information relating to Zero Trust (ZT) is misleading (At best).

The Zero Trust approach is to assume breach, that is, assume that all access requests are hostile unless proven otherwise. To do this, you must define your protect surface, which requires discovery of devices, applications and services where “toxic data” resides, then define who is able to access it and implement least privilege, and finally understand the threats and risks associated, and only then implement technical solutions that are proportianate to need.

Yet the majority of ZT literature focusses on the protect solution with very little attention being paid to the precursors that lead to a successful implementation. In my research I’ve discovered that around 3% of  academic literature, and 6% of other literature, is dedicated to these processes.

You can only protect those things you know about. For example, my research suggests that about 70% of breaches involve unmanaged devices (IoT, BYOD, Shadow IT, maliciously installed devices) and over 90% of enterprises have unknown or unmanaged devices on their networks. Without a good discovery process, you risk leaving unmanaged devices that contain “toxic data” outside of your protect surface, allowing an attacker to bypass your defences and exfiltrate data, or implement ransomware on a system that has critical value to your enterprise. Shadow IT is often a good example of this, it often contains business IP or other protected data. Users of Shadow IT often implemented to undertake tasks not approved by IT. It is implemented manipulate data to “get the job done” without going through strong change management processes. This is not to say that it isn’t undertaking processes important to the business. Finding these Shadow IT implementations and bringing them under the perview of IT strengthens your defences.

Zero Trust isn’t a technical solution, it’s a strategy, a journey. Your strategy needs to begin with strong scope definition. Defining your scope is reliant on strong discovery tofind all those locations of Toxic Data. Implementing the principle of Least Privilege limits things further by ensuring that you only have access to data that you need access to for completing your job. Finally, Threat Modelling and Risk Assessments prioritise your implementation, so that during your journey, you implement your protect surface in the most efficient way possible.

As I complete my thesis, I will update this blog with further findings.

Jon