Never Trust, Always Verify: 7 Principles of Zero Trust Security for Nation State Targets

Nation state targets--organizations who's breach would materially benefit nation state organizations funding offensive cyber initiatives--have security needs at the top of the market.

Collecting input from dozens of these mission-critical organizations, from nuclear weapons facilities to electric utilities, from the U.S. Air Force to global banks, from public cloud "super platforms" to the operating teams serving heads-of-state, we distilled down the unique approach of nation state targets use to make cyber defense decisions into 7 key principles:

Principle 7 - Any useful system has vulnerabilities. You can reduce & manage vulnerabilities, but can never remove them all.

Put another way, no system that serves a useful purpose can be invulnerable. For example, if you use login and password to authenticate to a system it might be vulnerable to a brute force attack (guessing all possible passwords); if you fix that vulnerability by freezing the system after 3 incorrect attempts, you've created a Denial of Service vulnerability. You can continue this logic and find that vulnerabilities are never really solved.

Takeaway: Security isn't a box to check. Nation state targets need to think about security continually, deeply, and carefully.

Principle 6 - Authentication, Authorization and Audit are the "Gold Standard" for systems security analysis.

The fundamental tools we have to analyze and protect systems come down to authentication (confirming identify), authorization (confirming the rights a confirmed identify has in the system for access and actions), and audit (being able to trace the actions and data flows with a system). A broad range of security technologies and approaches can be organized in this framework.

Incidentally each category here starts with "Au" which is the elemental abbreviation for Gold on the periodic table, hence we call it the "Gold Standard". While there are lower level approaches, such as creating data flow diagrams, threat models, analyzing and reducing attack surfaces, they can all be framed within the Gold Standard [1].

Takeaway - There's a standard way to analyze and compare system security. Authentication, Authorization and Audit are the bedrock for modern systems.

Principle 5 - The effort that goes into a breaching a system varies with the economic and strategic value of the breach

Breaching banks, crypto wallets, national security agencies--and their technology supply chains as a precursor to indirect breaches--can have high economic and strategic value. Because of this, such such organizations can be expect to be under heavy offensive cyber initiatives.

As a corollary, the more organizations standardize on a solution to hold their valuable secrets, the greater the incentive to breach the centralized solution.

Given the effort behind breaches will vary, the resources deployed to defend different systems will also vary. For example, the retirement benefits system at a tech supply chain company may not require extra scrutiny, whereas their private repository of unpatched vulnerability issues for customer-facing systems, may need a heighted level of security.

Takeaway: Not all systems need the same level of scrutiny. Defense should be proportional the value an adversary obtains from breaching the system.

Principle 4 - Defenders of a constituency shouldn't be part of the constituency

Security organizations responsible for defending a "constituency" of users and systems shouldn't be part of the constituency. If they are, then any breach or outage occurring within the constituency would also compromise the defenders, making it more difficult to recover.

Organizations entrusted to recover from breaches and outages should have access to a business continuity solution independent from primary systems to avoid single-points-of-failure.

Takeaway: For business continuity and fast recovery, security and reliability teams should run on infrastructure independent from systems they defend.

Principle 3 - Many eyes make all vulnerabilities shallow

No matter how strong the skills inside a security organization, there will always be more strength outside the organization. It's therefore vital to have a program where the ethical security researcher community can confidentially disclose vulnerabilities they find, before offensive cyber teams find them first. A key example of this program is DoD's Vulnerability Disclosure Program. You'll also have crowd-sourced vulnerability review from organizations like HackerOne .

Takeaway: Critical infrastructure should have Vulnerability Disclosure Policies to identify and mitigate issues through the ethical security researcher community.

Principle 2 - Security is about balance and iteration, not absolutes

As offensive cyber continues to escalate and evolve, the work of security organization is never complete. Ultimately security teams need to balance priorities across a) the usefulness and usability of systems, b) the security investments and sacrifices an organization is ready to make, and c) the level of risk the organization is willing to accept. Moreover, this balance requires continually iteration as new classes of vulnerability are discovered, and as new improvements to systems are deployed.

Takeaway: In making iterative security investment choices, be careful not to under-service nor over-service security and resiliency priorities.

Principle 1 - Never trust, always verify

What separates nation state targets from other companies is the high economic or strategic value a nation state actor can gain from a breach or disruption of their systems. These are mission-critical organizations that must assume they're continually under intense, offensive cyber attack. This means using the "never trust, always verify" approach to Zero Trust, emphasized in the 2022 DoD Zero Trust Strategy initiative, to vet security and infrastructure choices at a higher level of scrutiny.

Takeaway: Nation state targets need to "never trust, always verify" that their infrastructure is ready to withstand the top end of offensive cyber attack.

Integrating Principles and Takeaways

Defending a mission-critical organization against nation-state levels of offensive cyber can seem a daunting and overwhelming task. It's difficulty is exacerbated by a vendor ecosystem pouring billions into blurring definitions, influencing decisions towards proprietary offerings, and stretching the meaning of "Zero Trust" to from "never trust, always verify" to what sometimes sounds like "incrementally more secure by using our existing products".

The intention of this article is to provide a framework for analyzing security investments based on first principles derived from dozens of interviews of decision-makers in high stakes organizations.

Putting it all together, consider the takeaways of each principle in summary as you analyze your options:

Never Trust, Always Verify: 7 Takeaways of Zero Trust Security for Nation State Targets

7 - Security isn't a box to check. Nation state targets need to think about security continually, deeply, and carefully.

6 - There's a standard way to analyze and compare system security: Authentication, Authorization and Audit.

5 - Not all systems need the same level of scrutiny. Defense should be roughly proportional the value an adversary obtains from breaching the system.

4 - For business continuity and rapid recovery, security and reliability teams should run on infrastructure independent from systems they defend.

3 - Critical infrastructure should have Vulnerability Disclosure Policies to identify and mitigate issues through the ethical security researcher community.

2 - In making iterative security investment choices, be careful not to under-service nor over-service security and resiliency priorities.

1 - Nation state targets need to "never trust, always verify" that their infrastructure is ready to withstand the top end of offensive cyber attack.

[1] A material issue for nation state targets with vendor-hosted systems is the inability to get detailed audit information after an outage or a security breach. For liability reasons vendors typically only share summary information, and this can leave nation state targets less knowledgeable and less prepared for future incidents.