The Cultural Changes Zero Trust Security Demands
At the core of a zero trust strategy is re-thinking how companies approach security, from who is involved to what the goal is.
“Zero trust is a strategy designed to stop data breaches, and then to make other cyberattacks unsuccessful,” said John Kindervag, senior vice president, cybersecurity strategy at ON2IT, who is often considered the creator of zero trust.
In most cyberattacks, the goal is to exfiltrate some kind of sensitive data, and zero trust is a framework for designing a system in which that won’t happen.
The basis of a zero trust strategy is to force security decision-makers to step back and think more like CEOs — or to get the CEOs themselves involved.
In many organizations, IT teams in general and especially security teams have been so segregated from the business leadership that they don’t, in the course of their everyday responsibilities, pause to think about how the organization earns money.
Security teams often have very narrow scopes of work, and focus on meeting compliance demands rather than thinking strategically about how to actually protect the company.
Businesses ultimately have to be pragmatic and can’t just turn off all communications. When working on projects with enterprises, the starting point is always to ask what are the things that could hurt the organization the most if they were compromised, and start there, according to Leonid Belkind, chief technology officer and co-founder of Torq, a security automation company.
Top Down, No Silos
Because zero trust focuses not on checking off compliance boxes or blindly following established company protocols but on aligning the security program with the business realities, the strategy is often (but not always) adopted first by executives and imposed on the security team in a top-down manner.
This is a cultural shift: It’s telling the security team that they need to move their focus from protecting laptops from malware to ensuring the company’s core assets are as protected as possible and on a zero trust network.
When working on projects with enterprises, said Leonid Belkind, of Torq, the starting point is always to ask what are the things that could hurt the organization the most if they were compromised, and start there.
Success with zero trust also has to include restructuring the organization. “If you look at traditional organizational structure, they’re organized to stay in silos — the developers, platform engineers, the security teams — and it’s like a relay race where they pass the baton down,” said Ratan Tipirneni, CEO of Tigera, a cloud native application observability company.
“That type of organizational structure will not work when implementing these types of security models. You need to design security policies upfront, even when the code is being built.”
The need for organizational change is one of the reasons Tipirneni thinks that strong executive leadership is nearly always required for success with zero trust.
Though not everyone interviewed for “Trust No One and Automate (Almost) Everything” said that executives must be the champions, Kindervag and Belkind agreed that there is often high-level involvement in moving to zero trust, and involving executives and aligning security with business interests is critical.
Often security folks are hesitant to make changes because they fear being blamed for disruption. It’s possible to dramatically improve zero trust maturity without disrupting the usual IT operations, but the key is incremental improvement.
Start with something that is absolutely critical. “If we’re a bank, we might protect the SWIFT gateway,” Kindervag said, referring to the secure cross-border payment and financial messaging system.
“That’s a manageable project, in contrast to if I say, ‘We’re going to turn the whole network into zero trust,’ everyone’s going to just say, ‘How do we do that?”
Security experts talk about “trust” — trusted users, trusted devices — and design security programs that assume that some humans and computers are by default “trusted.”
But, Kindervag noted, “Trust is a human emotion that has been injected into digital systems for no reason.”
He gave the example of infamous data leakers Edward Snowden and Chelsea Manning for how the trust model fails to protect digital assets, as well as for underlining the role that identity management should play in zero trust systems.
Start implementing a zero trust security strategy slowly, advised John Kindervag, of ON2IT, who is often called the creator of zero trust. A bank, for instance, might start with the SWIFT gateway, the cross-border payment and financial messaging system.
In both cases, Snowden and Manning — a former National Security Agency computer intelligence contractor and a former U.S. Army soldier, respectively — were “trusted” users, using “trusted” devices, who were able to get past powerful authentication systems and who were authorized to access information that they never should have had access to, and download that information.
Moving from a scenario where there even can be a user who’s trusted to one in which, by default, all users are denied unless they have a reason to access the data in question is both a technical challenge as well as a core philosophical/strategic shift. Both are key to zero trust. Considering that, as a 2022 survey by strongDM indicated, 65% of companies use shared logins, it’s a pretty heavy cultural lift.
The main takeaway is that zero trust is a strategy, philosophy, architecture — and not a tool or technology. There are tools that will help you implement zero trust, but effectively implementing zero trust requires much more than purchasing software.