“Trust, but verify” is a Russian proverb made famous by former US President Ronald Reagan. The concept should be simple, that is:
- How to define trust
- Decide on the level of security to apply to a situation
It is not so simple to do. Many organisations can be complex. Systems even more complex. One task of a security professional is to identify and understand flaws, any associated risks and help put mitigating measures in place.
We also had the “Castle-and-moat”, where no one from outside is able to access data inside, but everyone inside the network can. Once inside the organisation, you had free rein inside the castle grounds. Of course, there are security issues with this approach.
Over the past decade, the term “Zero Trust” has been promoted. Zero trust is a ‘model’ to deny access to systems and data by default. People say “Trust, but verify is dead”. “Zero Trust” is growing in popularity, but I do not know why the fuss. Here are some basic principles:
- Scope: Know your architecture, users, devices and data.
- Unique identities: Know your human user and service accounts. Each should be unique and clear of their role, so to determine what role-based access they should have. Also, this is essential for tracking user activity.
- Authentication and Authorise: Authenticate means verifying who the user is. Authorisation means allowing them the right access.
- Monitoring: Monitoring the status and activity on users, devices and services.
- Don’t trust any network: Do not trust external networks. Do not trust your local network. Secure data in transit and in storage.
If you are a seasoned security professional and also into governance, risk and compliance (GRC), you may be looking at these and thinking, so what’s new? I agree with you.
Understanding your scope, making sure you know roles/responsibilities, understand roles for accounts, having unique accounts, making sure you authenticate and authorise only the right access based on least privilege, monitor activity for suspicious behaviour and making sure you protect information in storage and in transit, network segmentation, using firewalls to protect boundaries, secure system development, and more – these are security controls you should be doing anyway, and are in any good information security standard.
These controls should be in your organisation where possible, but we should err on the side of caution, put on our sceptical hat, and verify these controls are in place. I don’t see “Zero Trust” controls, replacing good old “Trust, but verify“. The two can be complimentary. If you trust, but don’t verify, here are some things I often find:
❌ Business do not know their scope, their asset inventory not up to date, data flow diagrams do not exist or are not up to date
❌ Unique identities is a problem, there is no form of matrix with role access requirements.
❌ Change management needs improvement, and new users are made by copying existing roles so may be getting more access than required.
❌ Little awareness of what monitoring they want to do or need to do for their business, and incident response plan details are found to be insufficient for their needs.
❌ no/little security considerations during system development and design
… and more.
Any of this sound familiar? No problem. You can’t afford to delay it any longer. Understand where you are.
Do not worry about all the fancy terms and acronyms. Our information security industry has so many acronyms. LOL. The most important thing is to acknowledge this and do something about it. You cannot be expected to make huge steps in your security overnight. It’s all about the journey. Any small steps you can do to improve your security is a good thing, but it’s going to be prioritised and should be risk-based.
First thing to do is to review your security.
Check-in to your state of security by undertaking a security review (independent review, so staff are not checking off their own ‘homework’ and saying everything looks good). Find out the reality. Take action from there.
This is one thing you do, when you follow The P.R.O.T.E.C.T Protocol ™.
Hope that helps. Feel free to share if it will help someone. Until the next post…
👉 Like What You Read? Be a rockstar and just give me 5 more seconds by sharing this to LinkedIn.
👉 Want More Tips/Hacks To Improve Security and Compliance Faster? Then take 10 more seconds to click on my profile, connect and follow me: https://www.linkedin.com/in/mqhopewell/
#computersecurity #cybersecurity #informationsecurity #infosec #cybersec #privacy #itleaders #itleadership