Keeping Human Trust in a ‘Zero Trust’ World
Dan Lohrmann
Cybersecurity Leader | CxO Advisor | Bestselling Author | GT Blogger: 'Lohrmann on Cyber' | Global Keynote Speaker | CISO Mentor
‘Zero trust’ is all the rage.
Depending on who you speak with, zero trust is a new concept for stopping data breaches, the preferred network architecture for cybersecurity, the most secure model for online interactions, the best security framework, or even a mantra for life.
Zero trust has become one of the hottest global cyber and network topics for marketing products and services over the past few years – and the influence of ‘zero trust’ is growing rapidly.
Wherever you turn, experts and thought-leaders are singing its praises.?An online search can easily find thousands of intriguing articles, presentations, products and speeches on why zero trust is the must-have paradigm for all-things-cybersecurity moving forward.
So how do we actually define zero trust? A NIST blog says, stick to the principle: “Never trust, always verify.”
According to Palo Alto Networks: “Zero trust is not about making a system trusted, but instead about eliminating trust.”
Others give a longer definition: “Zero trust is a security concept centered on the belief that organizations should not automatically trust anything inside or outside its perimeters and instead must verify anything and everything trying to connect to its systems before granting access,” Mary K. Pratt wrote for CSO Online.
I went on the record several years ago as big supporter of ‘zero trust.’?Nevertheless, as in other areas of technology, I began to worry as perceptions changed and its power grew.??
Warning - Check ‘Zero Trust’ Scope
Now, I fear, some are taking ‘zero trust’ way too far, even expanding what was originally intended by those who started the trend to cover all areas of life. For some, it is even the model for all human interactions, which is where I pull the emergency stop cord and get off the bus.
While I suspected this might be happening after sitting-in on several public and private sector webinars on zero trust over the past year, I became downright alarmed when a LinkedIn thread on whether organizations should hire hackers with a criminal record yielded this comment from a respected colleague: “Trust, seriously? I operate in a zero trust environment. I wouldn't trust my non-criminal employees any more. They are as likely to cause a cyberattack through negligence. And a convicted hacker probably has more understanding of real world tactics than what you can learn in a 3 part online course.”
Putting the criminal hackers aside, my response was: Wow! Are we now throwing away trusted relationships at home and work under the banner of zero trust? Really?
And what about Stephen M. R. Covey’s best-selling book The Speed of Trust: The One Thing That Changes Everything? The author shows how trust — and the speed at which it is established with clients, employees and all stakeholders — is the single most critical component of a successful leader and organization.
Now, I was on a mission. I went out and found articles, podcasts and blogs from/with John Kindervag – who is credited with launching this trend more than a decade ago while at Forrester.
ShadowTalk Threat Intelligence Podcast interviewed Kindervag and provided some great insights on zero trust, including what it does not include. In a nutshell, the “never trust, always verify” definition is for digital communications, and we err greatly if we apply that to offline human interactions. People can be trustworthy, but the packets of information claiming to be from that person may not be.
领英推荐
Consider these important points Kindervag outlines in the podcast:
1. (Online) Trust is a vulnerability.
2. People are not packets. “People aren’t the issue, packets are the issue.”
3. Trust is a big problem in the digital world — that’s the primary thesis.
As I was starting to write this column to present my “findings,” I decided to reach out to John Kindervag, just to double check my work. He responded quickly:
“Digital trust and human trust are two separate things. Zero trust only applies to digital systems. People are not necessarily untrustworthy, but at the same time they are not packets. Zero trust only applies to the zeros and ones that traverse our various digital systems.
“[Malcolm] Gladwell calls human beings trust engines. Morton Deutsch talks about how trust is the willingness of one individual to be vulnerable to another individual, and applies this to business management.
“The fatal flaw was anthropomorphizing the network and moving over concepts like trust that had no business belonging in digital environments.”
Thank you John. Now back to hiring.
?
An earlier version of this article was originally published here for Government Technology Magazine’s July 2021 issue: https://www.govtech.com/opinion/are-we-taking-zero-trust-too-far-in-cybersecurity
You can follow Dan Lohrmann on Twitter: @govcso
Dan’s Government Technology articles and blogs can be found at: https://www.govtech.com/authors/dan-lohrmann.html
?
??
?????Named Account Manager at Thales - Cyber Security Products?????
3 年Dan appreciate your articles and the engagement you receive. Yes there is a overarching definition of Zero Trust of which is sporadically defined by several different people and organizations that while the term has become increasingly more and more popular over the years, let's admit with "new" concepts/technology/policies comes with exploration of stretching the limits or not taking them far enough. This would be some explanation for merging human trust with digital trust and again..that may mean something different to who you're speaking with and among what context. At the end of the company, company or consumer data are at risk, therefore each organization should analyze their infrastructure, architecture and risks to determine if merging those makes sense or if they should remain completely separate.
Technology and cybersecurity industry veteran helping companies successfully navigate the constantly changing technology landscape | Canadian Cybersecurity Network Advisor
3 年Zero trust is not about NOT trusting people. Zero trust is about defending against those who would betray the trust that people need to have in order to perform their work. Give people all the trust they need to do their work after you verify they are who they say they are - not an unreasonable ask - then NO MORE. It's too much access, too much privilege, absence of controls, processes and monitoring that creates an environment where the bad guys can thrive and take advantage of the trust we need to give people. It can't be an either/or conversation.
Entrepreneur|Start-up Advisor|CISO|Co-Founder|CTO (USA,UK,Singapore,Australia,India) Cyber Security Engineering and Consulting| Chess Enthusiast
3 年Thanks Dan. "We are the weakest link in the system". "Business context design thinking to build the target architecture with rings. Trust only roles in the system.
Adversarial GenAI, hostile OSINT, cybercrime, telecoms fraud demystifier, consultant & trainer. IADLEST & SFJ accreditations.
3 年I’ve long wondered about the phrase Zero Trust and what it conveys to users and customers. One consideration is the declining trust users and customers have for the companies that process their data. As that diminishes and users become more wary, companies risk losing access to much of the identity capital they need. Trust is a two way street and terminology is important.