I love Charlie CISO, created by NYU professor Ed Amoroso and Mad Magazine Illustrator Rich Powell. As per Amoroso, it was invented to wallow in the familiar mix of competence and hypocrisy that defines our cyber security space.
So What Exactly is Zero Trust?
There is a lot of confusion in the industry around how to determine the proper definition for Zero Trust. Many individuals just refer to traditional Forrester or Gartner articles, however any vendor offering some capability of Zero Trust will have their own version of how they define it. I will focus on containing myself in a vendor agnostic realm.
As I stated in a previous post, Zero Trust, in my mind, represents the main architectural principle of a well-defined security program. In any business, everything revolves around organizational data because that drives all decision-making for any company. While businesses are consuming the data, custodians are responsible to address the full lifecycle, from creating to storing, using, sharing, archiving, and deleting, regardless of where the data resides.
From a security perspective, Zero Trust focuses on a data-centric and risk-based access approach, which means that the security program has to have the right set of capabilities to address the access lifecycle. Successfully implementing Zero Trust requires taking a programmatic approach with a combination of processes and technology. When properly implemented, it helps with the reduction of complexity, the reduction of an operational burden, and the removal of technology debt.As a security architecture it is application, identity, and data focused, as well as contextual and dynamic in nature. If you think Zero Trust is a quick win, you are wrong. This is not an “off the shelf” product or a one-off project. You will find that most vendors who offer some Zero Trust capabilities are identity or network vendors, which is proven by Forrester’s original definition:
“Forrester Research defines the Zero Trust Model as a conceptual and architectural model for how security teams should redesign networks into secure micro perimeters, strengthen data security using obfuscation techniques, limit the risks associated with excessive user privileges and access, and dramatically improve security detection and response with analytics and automation.”Forrester Research
This was largely focused on network segmentation because it started as a networking concept with a specific perimeter in mind. All communication was hauled back through the data center in some sort of controlled access design.
Are Businesses Digitally Optimizing or Transforming?
Today, as exponential growth of cloud and mobile devices drives direct connection to the internet, CISOs are realizing that they are blind to data paths. It is scary. Mobile users want to do their jobs from any location, from any device, at any time, and by using any application. On top of the flexibility, end users want to share information with other colleagues, third-party vendors, etc. The question is: “How do we control data and devices while still enabling and empowering employees to do their jobs?”
We could summarize this with three major trends:
- Connectivity is ubiquitous.
- Movement towards cloud and mobile platforms is growing faster every day.
- Users demand instant access to applications and data.
Businesses realized those trends and started strategizing how to get to the next level. This created many digital business opportunities; call it digital transformation. Businesses understand that transformation fuels growth and that the workplace is no longer where people work. They must adapt to a new way of doing business, to attract and retain profitable customers while keeping a competitive edge.
Many opt in for digital business optimization, which Gartner defines as: “The practice of increasing digital sales and marketing or new technology internal efficiency mechanisms — without really changing the product offering or the business model.”
Others focus on digital business transformation. Digital business transformation is by its nature a more disruptive approach, which requires a very different mindset from optimization. Transformation creates new business models and/or platforms within, its aim is to generate revenue from new products and services.”
Optimization makes current practices better but doesn’t lead to transformation. New mindsets and business models are required for transformation.
This is why we all read and talk about the importance and necessity of security transformation. Architecting for the new world with a new mindset! In my mind, Digital Transformation is to business what Zero Trust is to security.