Debunking ZTDR Myths by Jason Garbis
Busting Zero Trust Myths
Zero Trust is a noisy and complex market with a high degree of solution overlap and, sadly, an overabundance of vendor hype. This has led to the appearance of Zero Trust myths, which tend to appear like unwanted and poisonous mushrooms after a spring rain shower. While we’re (unfortunately) not going to blow anything up during the course of this blog posting, we will be using our metaphorical machete on a few Zero Trust myths. So let’s go full-on nerd mode, strap on our safety goggles, and bust some myths!
Myth #1: Zero Trust is Hard
The reality is that Information Security itself is hard, and Zero Trust actually makes things easier. Part of the misperception may be because Zero Trust is a security philosophy which emphasizes a holistic approach. And this in turn encourages security teams, often for the first time, to consider things from a process and business perspective.
Zero Trust makes this easier because it gives you a way to abstract away some of the complexity through a unified policy model. For example, you can define access policies that apply to users, regardless of whether they are in the office (on-premises) or working remotely. This is a significant improvement over traditional security architectures, which use completely different models for remote users (e.g., VPNs) and on-premises users (e.g., NAC). Another example - these policies can make use of device posture checks in a way that works consistently regardless of whether the user is running Windows or is on a Mac.
The takeaway: Zero Trust can be easy to get started with, in particular for one of our favorite use cases, securing access to the data backup and recovery system. These are high-value systems often targeted by attackers, and the set of system administrators should be small and well-known. To facilitate this, we propose three questions for your security team:
1. How are we enabling secure sysadmin access to our data backup and recovery system?
2. How is the data backup and recovery system protected from unauthorized network access?
3. What would it mean to you if we enforced contextual and identity-centric access controls? How would that improve our security, compliance, and operations?
Hopefully these questions will spark a conversation about Zero Trust, and about how it can be quickly applied to your data backup and recovery environment.
Myth #2: You Need to be Perfect to Get Started
When we talk about Zero Trust, we often emphasize the power of access policies based on user attributes such as roles or group membership, or on workload attributes. This can lead people to the mistaken conclusion that they need to have perfected their identity management processes and group memberships, as well as their workload inventory and release processes before they can get started. To quote the cult classic film Repo Man, “pernicious nonsense!”
Zero Trust is an unabashed learning journey and very much a “come as you are” party. I’ve worked with enterprises with a huge variety of maturity levels across their IT and security ecosystems, and every one of them is able to get started and make short-term progress with their Zero Trust journey. Often, they can deliver better security for their business just by refining their processes and making better use of the tools they have in place – without having to spend additional budget procuring new tools.
The takeaway: Think about two areas of relative strength and two of relative weakness in your security environment. For example, maybe you have a sound user device management tool that enforces security configurations. Or maybe, like in many organizations, you have a “messy” set of directory groups (often referred to as a “giant hairball”).
The areas of strength are good candidates for inclusion in your initial Zero Trust policies. In our example, it’d be straightforward and powerful to use device posture checks as part of your access policies. The areas of weakness are often good targets for focused improvements as part of a Zero Trust project. Tackling the giant hairball of directory groups is a massive undertaking, but creating new groups for a well-understood group of users - such as your data backup and recovery administrators – is entirely doable and also has the benefit of establishing clean and clear processes for group membership.
Myth #3: Zero Trust is only about Security
While Zero Trust absolutely is a security strategy, it's important to recognize two things about this. First, remember the fundamental goals of information security - Confidentiality, Integrity, and Availability. Achieving availability requires information security teams to apply Zero Trust beyond typical security boundaries, and influence their enterprise’s approach to data backup & recovery, and business continuity / disaster recovery (BC/DR).
Second, Zero Trust programs absolutely deliver business value. They enable the business to adopt new technologies securely, open new channels for secure communication and collaboration with suppliers, partners, and customers, and improve user productivity. Not to mention reducing the burden of meeting and reporting on compliance requirements, accelerating strategic business activities such as digital transformation or Merger & Acquisition, and accelerating business processes via improved user experience and access methods.
Some of these improvements, even when focused on small or day-to-day activities, can deliver compelling results. And, smaller initial Zero Trust projects also have the benefit of being deployed and operationalized quickly.
The takeaway: Talk to your data and application owners about their processes and frustrations with data backup and recovery experiences. How can the categorization, onboarding, testing, and validation be improved? What access-related barriers can a Zero Trust project remove?
Myth #4: Zero Trust is Only a US-Government initiative
It’s true that the US Federal Government has taken a public stance on mandating Zero Trust adoption for its departments and has amplified its awareness and adoption. They deserve a lot of credit for doing so, as Zero Trust encapsulates our industry’s best practices and approaches. And the Zero Trust guides and architectures published by US agencies such as the National Institute of Standards and Technology (NIST), the National Security Agency (NSA), and the Department of Defense (DoD) are sound, valuable, and globally applicable to both public and private sector organizations.
Even with all this US government support, however, it’s important to remember that Zero Trust originated in the private sector, and has been enthusiastically embraced and supported by vendors, consulting and analyst firms, and enterprises worldwide. There are also numerous non-US governments which have adopted Zero Trust, such as Singapore, UK, Canada, Australia, and others.
In fact, I’d argue that this highly decentralized approach to Zero Trust has contributed to its success, creating a rich (but admittedly noisy) marketplace of ideas, solutions, and approaches. And this marketplace is important – even with the plethora of documents from the US Government, there are definitely areas where the private sector needs to enhance and fill in gaps. For example, the NSA’s document Advancing Zero Trust Maturity Throughout the Data Pillar doesn’t even mention data backup and recovery, which is a huge part of a security team’s mission. For this, we recommend our contribution to the industry, the concept of Zero Trust Data Resilience.
The Takeaway: Review the NSA Cybersecurity Information Sheet on Data Security, and then read the Object First whitepaper as a companion piece. After reading these, think about how your organization should approach data security within your Zero Trust initiative and how your data backup and recovery system should be secured.
Conclusion: Myths…Busted!
OK! Let’s take off our safety goggles, grab a lemonade, and sit down. Busting those myths was hard work, but hopefully, by doing so, we’ve clarified it and made your journey toward Zero Trust easier.
Information security is hard, and there is no doubt about that. But it’s also a fun, challenging, and rewarding profession. Enabling our enterprises to achieve their mission, keeping our users secure and productive, and making our data safe and resilient – these are worthy and meaningful goals. So, let’s keep at it, distinguish myths from facts, and work to make progress on our Zero Trust journeys.