Question:
If you can’t trust anyone, how can you run your business?
Answer:
You don’t have a business!
What does Zero Trust actually mean and why so many vendors seem to get this wrong.
Identity & Zero Trust Security
One of the most common mistakes I see when business start implementing Zero Trust security is they immediately think they cannot trust their employees. Heck… most identity provider software companies outright tell you “TRUST NOBODY”. I think they are missing the point in an effort to sell you a subscription.
Now I am not telling you that Identity Management is not important. On the contrary, it is a key foundation of Zero Trust. But to not trust your employees? Come on…
When we say “Zero Trust” we are saying “don’t trust the bits and bytes”. This means if a data packet says it is from Jack in Accounting… we don’t trust that data packet. We do Trust Jack. (side-note… if you don’t trust Jack then he probably shouldn’t be in your accounting department or even employed at your company…)
So how do we know that the data packet is really from Jack in accounting? We don’t. Not EVER! We do what we can to HELP ensure the data packet is from Jack but we never EVER trust that it is.
Sure, we probably will implement multifactor authentication of some type or another depending on our business needs & budget. This helps ensure the data is legit and minimizes the chance for a breach. But, errors happen and humans get annoyed by multiple MFA validations.
So how do we get any work done if we never “ever” trust the data packet from Jack? We define the flow of data, we minimize impersonation through the use of MFA, but above all… We log every data packet and analyze it. Then this data gets analyzed and if anything looks out of the ordinary, we start locking things down.
Logging Everything
Yep… log everything. Zero Trust will never guarantee you won’t experience a data breach, a hack, or ransomware. It will, however, help you minimize the impact, identify the breach sooner (often MUCH sooner) and help you keep your business operating.
This can only be done with a properly implemented Zero Trust Security Strategy.
