Should Deny By Default Be the Cornerstone of Zero Trust?

How far can we extend a deny-by-default approach as we build out our zero-trust architecture? Can that aggressive security tactic work for the business without disrupting productivity? Conventional wisdom says no, but we say “yes it can.”

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark , the producer of CISO Series , and Geoff Belknap . Our sponsored guest is Rob Allen , chief product officer, ThreatLocker .

Can you retrofit zero trust?

Introducing zero-trust architecture to existing deployments requires a lot of lift. "Zero trust is a great idea but needs to be implemented from the beginning. Trying to retrofit deny by default into an environment that was built differently will lead to chaos. You can stop the bleeding and start implementing this moving forward, but you will still have a giant backlog of access issues," said Andrew Wilder of Community Veterinary Partners . As Chris Yu pointed out, organizations get into trouble when trying to add piecemeal zero-trust implementations: “Grafting over porous architecture into a deny by default platform can have more pain if there's no documentation and whoever wrote/supported the migration target is unreachable. Drill through whatever Swiss cheese they handed you and get that solid."

The business case for deny by default

As laudable as zero trust is as an architecture, if it doesn’t enable the business it’s a nonstarter for organizations. "The 'deny by default' idea would get you fired quickly. It goes against the mantra of 'enabling the business to innovate and be agile.' The ‘zero’ in ZTA is misleading. You must trust some risky activities. But the key is to understand what are those and implement controls and monitor them to prevent abuse or threats." If “deny by default” is managed appropriately, we don’t believe it’s a tactic to get you fired. The context of the organization must lead the implementation of ZTA. "How well it'll work is based on the context of every organization/industry. They have different cultures and different risk perspectives. The technical aspects of cybersecurity should be aligned with business objectives and outcomes as a business enabler," said Tolgay Kizilelma, Ph.D. of the Dominican University of California .

Seizing an opportunity

Zero trust, like cybersecurity in general, remains a design challenge. "Viewing ZTNA as overly burdensome is like viewing ISO in the same way. We can view these as opportunities to adopt best practices and guidance to inform our strategy, similar to the idea of design for Six Sigma. Get the design right to prevent the exception," said Richard Splane, CISM of Meirliún Consulting . Jerich Beason , CISO of WM points out that part of the challenge with zero trust might come down to semantics, saying, "Zero trust's marketing problem is the word ‘zero.’ You must have some level of trust before you allow it. Which is why I’ve always opposed the ‘never trust always verify’ mantra and have instead said ‘verify then trust.’”

Zero trust doesn’t stand alone

No architecture survives first contact with a deployment intact. Zero trust can only succeed when the architecture is carefully crafted for your specific scenario. "A ‘deny by default’ should be carefully tuned based on anomaly detection, context-aware policies, and automation. That could meet the 80:20 criteria where the rest 20% is the hard part involving reverse proxy architecture, human elements, and packet inspection that can add overheads," said Anand T. of Goldilocks Ventures .

Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast , please go ahead and subscribe now.

Huge thanks to our sponsor, ThreatLocker

Subscribe to Defense in Depth podcast

Please subscribe via Apple Podcasts , Spotify , YouTube Music , Amazon Music , Pocket Casts , RSS , or just type "Defense in Depth" into your favorite podcast app.

Cyber Security Headlines - Week in Review

Make sure you?register on YouTube ?to join the LIVE "Week In Review" this Friday for?Cyber?Security?Headlines?with?CISO Series?reporter Richard Stroffolino .?We do it this and every Friday at 3:30 PM ET/12:30 PM PT?for a short 20-minute discussion of the week's cyber news. Our guest will be DJ Schleen , distinguished security architect, Yahoo . Thanks Vanta .

Thanks to our Cyber Security Headlines?sponsor, Vanta

How NetSPI Built a Proactive Security Platform

Sponsored content

Jumping from penetration testing to a full proactive security platform isn't an easy move. But as organizations need to address the critical needs of IT organizations, InfoSec teams, and CISOs, security companies have to keep up, said Vinay Anand , chief product officier, NetSPI . This platform aims to simplify and enhance cybersecurity measures with the principles of discover, prioritize, and remediate, while still offering advanced pen testing capabilities for better protection.

Watch the video.

Huge thanks to our sponsor, NetSPI

Join us Friday [08-16-24], for "Hacking the Demo"

Join us Friday, August 16, 2024, for Super Cyber Friday's “Hacking the Demo: An hour of critical thinking about how to be pitch perfect.”

It all begins at 1 PM ET/10 AM PT on Friday, August 16, 2024 with guests Howard Holton , CTO and industry analyst, GigaOm and Tom Hollingsworth , organizer and networking analyst, Tech Field Day . We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Register

Jump in on these conversations

"Are developers ready for the new wave of Gen AI security risks?" (More here )

"We have Crowdstrike for our EDR. Can we use it as our primary SIEM?"?(More here )

"What were the best cybersecurity courses you ever had?"?(More here )

Coming up in the weeks ahead?on?Super Cyber Friday?we have:

• [08-09-24] No show
• [08-16-24] Hacking the Demo
• [08-23-24] Hacking the Future of Pentesting

Save your spot and register for them all now!

Thank you! Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at?cisoseries.com .

Interested in sponsorship,?contact me,? David Spark .