In which the Tortoise (a skeptical CISO), engages with Achilles (who is fleet of foot and mind, as well as a provider of wisdom) about Zero Trust

Tortoise slowly makes his way up the hill, and encounters Achilles sitting in the shade beneath a tree, with a tablet balanced on his crossed legs.

Tortoise: Why hello, Achilles! How nice to encounter you here.

Achilles: And hello, my friend Tortoise, it’s equally pleasing to see you. Please, join me in the shade here, below this lovely Acacia tree.

Tortoise: This is indeed an impressive tree with a large and inviting shade canopy.

Achilles: Yes, even with the hot and dry summers here in our Mediterranean climate, with proper care and watering this tree can thrive. Much like an information security program.

Tortoise: How did you know I wanted to talk about information security?

Achilles: You’re a CISO, all you ever want to talk about is information security.

Tortoise: Yes, that is mostly true. Today I wish to discuss Zero Trust

Achilles: Ah, I have been waiting to have this conversation with you! Let us appreciate the irony of a tortoise – whose entire physical and metaphorical being is centered on strong perimeter security, now finally acknowledging the need to move beyond that model.

Tortoise: Oho, that is amusing, now that you point this out! However, unlike our acquaintance Ostrich, I do have an open mind. If I’ve learned one thing in my 125 years, it’s the importance of learning. So at a recent security conference I spent time learning about Zero Trust, and I am troubled.

Achilles: How so, friend?

Tortoise: It seems that Zero Trust is a meaningless marketing buzzword.

Achilles: Yes and no. It is one of those concepts that is two things at once.

Tortoise: Do go on.

Achilles: Zero Trust is, to mix metaphors, one of those industry tsunamis that builds up so much momentum that it creates its own center of gravity. It’s a sound idea, and is entirely worthwhile, but its widespread embrace by enterprise security teams means that there are budgeted projects, which in turn results in vendor marketing attention.

Tortoise: Vendors see the enterprises at this particular budgetary watering-hole, and circle like predators?

Achilles: That’s not the analogy I was going for, but I see your point. I’ll concede that security vendor marketing can appear opportunistic. Take AI…

Tortoise: If we’re going to discuss AI, we need to invite my new friend, Stochastic Parrot.

Achilles: Touché. Let us return to Zero Trust, and talk of its substance. Of proper and strong authentication, of the principle of least privilege, of network segmentation, and of identity-based access controls. And let us not omit the use of proper identity governance processes, risk-based access policies, thoughtful application of MFA, and device posture checks.

Tortoise: All of those are valid and valuable, and should be part of a modern security environment. Are those the elements of Zero Trust?

Achilles: Zero Trust is a security strategy, which incorporates all those elements of security best practices, and weaves them together in a way that can dynamically respond to changes, and allows you to create identity-aware access policies.

Tortoise: That is a clear and compelling definition, Achilles. I was unable to see that amidst the cacophony of vendors at the recent security conference.

Achilles: It is indeed a noisy and chaotic marketplace. And much like our friend Thor – who with his mighty hammer sees everything as a nail – sometimes one’s perspective depends upon the tools in one’s possession.

Tortoise: That may not always be a bad thing, as long as that decision is made consciously. But what about the term “Zero Trust”, or its perplexingly contradictory counterpart, “Trust, but verify”?

Achilles: Do you trust math? Or, perhaps, I should ask – do you believe in math?

Tortoise: I very much believe in, and trust, math.?

Achilles: As do I. In our world, “math” is cryptography – and we can and must rely on this particularly beautiful form of math to validate that a remote entity is in possession of an appropriate secret. We call this authentication. We already agreed that we trust the math behind this, but of course secrets can be lost or stolen – so it’s incumbent upon us to verify the surrounding context for the identity – their roles, their device, their access patterns, their behavior, and information about the resources they are accessing. All of this context is part of the continuous validation that a Zero Trust system must apply.

Tortoise: I see – this finally makes sense. Achilles, you are a wise friend, and have brought peace to my mind. I shall ask my team to begin a Zero Trust initiative at once.

Achilles: Very good, I’m pleased that this was helpful.

Tortoise: It is quite a warm afternoon. Shall we make our way to the taverna down the hill, where I can buy you a lemonade?

Achilles: That would be lovely. Would you like to race there?

(With great appreciation and mild apologies to Douglas R. Hofstadter for his inspirational work, G?del, Escher, Bach.)