On May 1, 1984, Tina Turner’s song, “What’s Love Got to Do with It” which became a number 1 hit. She was dealing with a range of emotions that can express the way that business, technology, and security professionals feel about Trust within their environment. The reality is that no one knew what she was going through. Both love and trust are known to everyone but often prove hard to explain in conversation. They are both near impossible to obtain. Once obtained, they are often lost and may go through cycles of offering poor fidelity. While no advice is given or implied about solving for love, this article attempts supply insight into trust.
Frustration over gaps in security that should be solved for based on the expensive cost of security products and services is common. Dismay over the performance of the latest installed security solution may be an understatement. Emotional distraught can describe CISO and CSO leaders when trying to solve for all the risk, vulnerability, sprawl, education, and behavior within their organization.
The reality is that every organization faces the same issues when it comes to security. While risks may be unique to your organization, both the problem and the solution are universal. We all have the same problem to solve for. Unlimited budget will not solve the problem. Most often excessive money spent worsensthe problem. Throwing more money into a solution where the underlying problem is still not addressed will never solve the actual problem.
The answer is ZTF, Zero Trust Framework. How does one buy ZTF if it is the answer. Unfortunately, you cannot buy ZTF. There are products and services on the market using Zero Trust as a sales strategy however, they do not solve the underlying problem. Each product starting with a “Z” cansupply a solution to a specific needbut until it is implemented into a Zero Trust Framework, they offer limited value to the Chief Security needs of any organization.
The truth is that trust has been our primary issue in security for at least 7,000 years. If the only example of this problem was the “Trojan Horse” then the lesson could be complete. The moral of the story is that effective security cannot trust anyone or anything. Easy to say and virtually impossible to execute upon. The solution is zero. The solution is Zero Trust Framework.
Industry standards organization MEF in October of this year, published their MEF 118 Zero Trust Framework for MEF Services. The standard can be found at: https://www.mef.net/resources/mef-118-zero-trust-framework-for-mef-services/
Zero Trust Framework as developed by MEF is a vendor neutral approach to solving the issues that all organizations are facing. The simple version is that effective security starts from zero access to any resource, system, device, user, or application until each subcomponent is unlocked by policy. Each policy is intended to supply both layered security as well as multi-dimensional security at each layer.
A simple analogy is the most dangerous prisoner in the highest security prison that must traverse through multiple factors of authentication to be released from each level of security within the prison to go from the highest security room to the outside of the prison.
An example would be that a person wishing to access their bank account from a mobile device must first login to the mobile device with a passcode and biometric verification. They must then access a wireless or cellular network using the hardware address on their device, their active account from the provider, and being within range of the service. The next step is to login to the bank through their website by using the bank’s multifactor authentication system.
At each stage of access, secure access is defined by policy and must use some form of multifactor authentication prior to access. The goal is a combination of layered and multiple dimensions of security. The days of the castle and moat supplying effective security are gone.
In addition to the policy-based security the ZTF needs DevSecOps method by which a CI/CD process is used to improve through iteration the security posture of your organization. Effective security will require feedback from monitoring systems to continually improve the framework. Without open and honest feedback any security solution will fail. Security is not static; it is dynamic just as the threats an organization faces are dynamic in nature. They probe and test and therefore you must do the same. Defense is a strategy based on hope. While love and trust have a hopeful foundation, security must be based on Zero Trust instead of hope.
All success requires action as any benefits achieved without action are accidental as well as fleeting. The next step after learning that money alone will not secure your organization is to read MEF’s W118 standard on Zero Trust Framework and apply its concepts to your strategy.