Zero Trust Will Yield Zero Results Without A Risk Analysis
Over the past four years there has been an avalanche of new Zero Trust products. However during the same period there has been no measurable reduction in cyber breaches. To the contrary, ransomware, data exfiltration and lateral moving malware attacks seem to be increasing. If the emergence of Zero Trust was supposed to make us safer, it hasn’t happened.
One of the common mistakes we see enterprises IT leaders and many cybersecurity experts make is to think of Zero Trust as a product. it is not. Zero Trust is a concept where an organization has Zero Trust in a specific individual, supplier or technology that is the source of their cyber risk. One needs to have Zero Trust in something and then act to neutralize that risk. Thus buying a Zero Trust product makes no sense unless it is deployed as a countermeasure to specific cyber risk. Buying products should be the last step taken not the first.
To help enterprises benefit from Zero Trust concepts here is a modified OODA loop type process to guide your strategy development and execution:
1 Identify Sources Of Cyber Risk For Your Enterprise
The first step in defining a Zero Trust strategy is to identify all the entities involved in the operation of your enterprise; customers, employees, locations, suppliers, competitors, social media (everything). Next create a detailed workflow from ideation to development to income generation and then map each activity to one or more entities. And then work out the impact of a breach in an entity to your enterprise’s ability to operate. And finally prioritize the potential risk of breaches based on impact to the enterprise from severe to nuisance.
One item that many enterprises benefit from during step #1 is to bring in an external Red Team. Over the past two decades outsourcing and offshoring, new products and missed software patches often creates overlooked vulnerabilities. Having an extra set of eyes can really help avoid expensive breaches and can provide focus to follow on activities.
2 Develop A Risk-based Countermeasure Strategy Using A Zero Trust Framework
The results of the first phase in the process included a prioritized risk list, now a strategy will be developed to mitigate those using Zero Trust concepts. Concepts applied in building this strategy include least privilege, identity verification, role-based authorization, software attestation and policy-based data protection. Understanding of these concepts is critical to determining which countermeasures to deploy either within an entity you control or in the boundary to an external entity. The strategy will be articulated in the form of a roadmap and action plan that lists prioritized actions to guide all enterprise security improvement activities.
Upon finishing step #2 is a great time to conduct cross functional briefings within your enterprise to share what you’ve learned and what you’re planning to do. As there is a lot of interest in Zero Trust these days you shouldn’t find any problems getting team members to accept your meeting invite.
3 Reconfigure Existing IT Systems To Align With Your Zero Trust Strategy
Having created Zero Trust strategy you should first attempt to reconfigure existing IT systems to implement your plans. For example, if your major source of risk to your mission critical apps is due to offshore developers who have access to development systems, researching whether the partitioning and isolation capabilities of products you already own should be your first action.
Implementing Zero Trust should not automatically become a product purchase. Any new product, no matter how great, takes time to master. Additionally understanding why an existing product cannot meet your Zero Trust requirements actually helps to identify the right product to buy. Which takes us to the last step . . .
4 Buy Zero Trust Products To Reduce Unaddressed Risks
And finally, now is the time to buy Zero Trust products to fill the remaining gaps in your strategy. The good news is that the process outlined above will have resulted in awareness of which gaps cannot be mitigated by configuration control so product purchase decisions will be informed and efficient. In most cases, the steps above will result in your team knowing exactly what Zero Trust product to buy. Depending on the risk there are Zero Trust products that focus on protecting cloud services, compute systems, mobile devices and application data, for example.
Like other OODA Loop based decision processes, this approach to zero trust is never really done. You must always be improving. Depending on the size of your enterprise the Zero Trust OODA Loop it may take three to six months to complete all 4 steps if you are a SMB or one to two years if you’re a Global 100. The outlined process works for mature companies as well as new Smart Cities with interconnected energy and transportation systems.
You can do all the work yourself or seek the assistance of cyber risk professionals such as OODA to help you. Whatever path you take a Zero Trust approach to reducing cyber risk is a powerful strategic framework when properly done.
For enterprises planning on doing the Zero Trust OODA Loop process themselves, here are some recommended readings:
The New Enterprise Architecture is Zero Trust
Enterprise technologists use the term “Zero Trust” to describe an evolving set of cybersecurity approaches that move defenses from static attempts to block adversaries to more comprehensive measures that improve enterprise performance while improving security. When the approaches of Zero Trust are applied to an enterprise infrastructure and workflows, the cost of security can be better managed and the delivery of functionality to end users increased. Security resources are matched to risk. Functionality, security and productivity all go up. See: The New Enterprise Architecture is Zero Trust
An Executive’s Guide to Mitigating The Ransomware Threat
This is the second part of our special series on Ransomware. The first provided an update on the nature of the threat, including an anatomy of a modern attack. This post, produced with inputs from real world cybersecurity practitioners Matt Devost, Bob Flores, Junaid Islam and Bob Gourley, provides information for Corporate Board of Directors and the CEO. In our experience, the guidance provided here can mitigate the existential risks of a ransomware infection to a low level. See: An Executive’s Guide to Mitigating The Ransomware Threat
Junaid Islam on Zero Trust Architecture
In this OODAcast we provide insights into Zero Trust architectures from an experienced practitioner, Junaid Islam. Junaid is a senior partner at OODA. He has over 30 years of experience in secure communications and the design and operations of highly functional enterprise architectures. He founded Bivio Networks, maker of the first gigabyte speed general purpose networking device in history, and Vidder, a pioneer in the concept of Software Defined Networking. Vidder was acquired by Verizon to provide Zero Trust capability for their 5G network. Junaid has supported many US national security missions from Operation Desert Shield to investigating state-sponsored cyberattacks. He has also led the development of many network protocols including Multi-Level Precedence and Preemption (MLPP), MPLS priority queuing, Mobile IPv6 for Network Centric Warfare and Software Defined Perimeter for Zero Trust. Recently Junaid developed the first interference-aware routing algorithm for NASA’s upcoming Lunar mission. See: Junaid Islam on Zero Trust Architecture
Cybersecurity Sensemaking: Strategic intelligence to inform your decisionmaking
The OODA leadership and analysts have decades of experience in understanding and mitigating cybersecurity threats and apply this real world practitioner knowledge in our research and reporting. This page on the site is a repository of the best of our actionable research as well as a news stream of our daily reporting on cybersecurity threats and mitigation measures. See: Cybersecurity Sensemaking
Corporate Sensemaking: Establishing an Intelligent Enterprise
OODA’s leadership and analysts have decades of direct experience helping organizations improve their ability to make sense of their current environment and assess the best courses of action for success going forward. This includes helping establish competitive intelligence and corporate intelligence capabilities. Our special series on the Intelligent Enterprise highlights research and reports that can accelerate any organization along their journey to optimized intelligence. See: Corporate Sensemaking
The OODAcast Video and Podcast Series
In 2020, we launched the OODAcast video and podcast series designed to provide you with insightful analysis and intelligence to inform your decision making process. We do this through a series of expert interviews and topical videos highlighting global technologies such as cybersecurity, AI, quantum computing along with discussions on global risk and opportunity issues. See: The OODAcast