Zero Trust Security Model: Is it really as good as it sounds?

I'm sure many of those involved in Insider threat are aware of the new "buzz term" known as The Zero Trust Security Model. After reading various articles and receiving many differing opinions on the topic, I have written this article to offer my opinion on "Zero Trust security models" from a Human Capital Risk point of view.

Firstly, I should state that in principle I can see why this is becoming a popular solution and I am in favour of the viewpoint that we should just accept that risks will occur. However, many theories and models are great on paper but some should really remain exactly there.

So why am I so opposed to this as a solution?

Many have said "I don’t understand it", or its "JUST about cyber security". This shows that already there is great confusion and mass interpretation of the encouraged model. For any organisation to be successful in achieving ALL overall objectives, it has to work in synchronisation as much as possible. With all parts, people and functions working together to achieve the same objective. Similar to a car engine. To believe that one component couldn't possibly affect the rest of the organisational vehicle is a woeful approach in my experience. The guidance notes clearly state that this model relies on the whole organisation adopting this as a security model. Everyone has to participate and be aware, but how will that really work across different types of organisations?

5 reasons why I'm not a fan of the "Zero Trust" Model.

1) It has already been proven to have the opposite affect than that desired.

To fully ensure any form of risk management method is effective, EVERYONE must be on-board and aware. It cannot just be a background tool. It's either in or out with this type of model. This model states that it is an ALL IN method, which means everyone would be made aware that this model means a company would refuse to ever trust you with access to anything. This is a dangerous culture to create within an organisation and one not many would enjoy the reality of working in.

To bolster my case I'll give you an example of how a Whistle-blower case proves that any sense of distrust or restriction of information will always result in failure of any programme.

In 2016 WeWork were involved in a whistle-blower case brought about by former employee Joanna Strange.

Whilst working for the company, Joanna started to question the companies transparency. Noting huge differences between the company strategy and mantra, and the actual reality of working for the company. Other employees were leaving and speaking out about the same issue. Lack of transparency.

During 2016 Joanna was given her managers passwords and asked to complete the staff self appraisals as he was too busy. Joanna used the passwords to log on and access her managers emails to start her work. However, when she logged on she was aware of an email mentioning her. It was an email suggesting her for a promotion to which her manager was rudely suggesting she should not be given. The reply email suggested she would soon be out of job anyway as the company planned to reduce the workforce by 8%.

Joanna raised this and was left infuriated by the reaction of her senior management and lack of loyalty the company was showing to its employees. As they moved ahead with terminating staff, Joanna started to use her managers passwords to access all restricted areas of the system copying multiple files and secretly recording daily events. These were then handed over to a journalist at Bloomberg. I've attached a link to the podcast below. it's a very interesting interview.

https://youtu.be/E_ftV20OLK8

How does this case prove " The Zero Trust security model" is ineffective?

Even with the remotest hint of lack of transparency, it is human nature to feel upset by and find a way to seek out the unknown. Remember the age old saying "curiosity killed the cat"? We are all curious cats with a thirst for knowledge. By reducing normal expectations between employee and employer, it will not increase loyalty and productivity, it will result in the complete opposite outcomes. When Joanna felt undervalued and threatened she responded in a manner that threatened the organisation. remember the bible quote?

"Do unto others as you would have them do unto you"

Let's look at the events and motivating factors of the case:

Most would state the threat occurred when the manager chose to hand over his password to Joanna.

This threat was then added to the other motivating factors, such as, despondency within the workforce due to beliefs of lack of transparency and loyalty. Once Joanna had become aggrieved with her company, the "zero trust" model didn’t magically evoke her to work harder and longer hours, even if HR had responded to her initial complaints it was still too late. It didn’t stop and make her burn the password so she could not find out more information. Every action the company took infuriated Joanna more and more until the point of whistleblowing. Even then their reaction was extremely hostile. When you have a security model that persistently reiterates to all employees they are not trusted or valued, and it is always implied they are in the wrong. Risks will continue to repeat as it continues to drive the wrong culture to aid risk management.

Cyber need to realise that zero trust from them will reap the same in return for an employee, regardless of whether this is just one part of the organisational ERM programme or adopted as a "ALL IN" security model as intended. Thus creating a Zero Trust Culture.

2) The "Zero Trust" model does not address the current failings of Insider threat programmes nor does it aid to improve them.

In most insider threat cases there are always pre cursors to the event, however small and seemingly unnoticeable, they are always present. After reading through hundreds of Insider threat cases one thing became more and more apparent. HR have a significant yet seemingly small role in all cases. Most malicious employee or disgruntled ex employee threats stem from bad management or low standards in screening by HR. They are missing key indicators by:

a) not having enough knowledge to understand and produce the necessary results and

b) because they are often left out of the loop until it's too late. Normally after the horse has bolted so to speak.

As I said in principle and in certain realms this "Zero trust" is a good idea. However, as I've said before it is encouraging a mentality that states we should never trust anyone with access or information, and all should have to constantly request access as moving around the internal virtual networks. It is a narrow minded view of risk, which is ignoring many possible internal and external opportunities and factors, all which motivate individuals to breach intentionally or accidentally.

In the WeWork case the threat did not occur like most would think when the manager handed over his password. The threat occurred when the manager became overloaded with work, which means there were other motivating factors that could have picked up on earlier by HR that prevented this case ever coming about. It is about understanding internal and external factors that motivate potential Insider threats and Risk that produces the best results.

This model may think it can outsmart the actor and detect all abnormalities in it's own virtual world and prevent anyone circumventing the organisations virtual networks, but it does little to detect real world abnormalities and prevent anyone circumventing the real world networks to gain access or data.

A Malicious actor will always find a way in. Whether they have to wait to seize or create an alternative opportunity or not. This model just perpetuates the off putting of dealing with risk appropriately.

3) It decreases loyalty, ability to attract and retain required candidature pools, and creates negative cultures.

After speaking at great length on this topic with an esteemed individual in the Security industry. He has allowed me to share one of his own experiences working under this form of model. This is a great example of how these models can again create the opposite affect to that desired.

A security company hired this individual as part of their surveillance team for an aviation client, mainly due to his background in engineering and security design. They had a "zero trust" policy in place very similar to the one proposed. He quickly found that the model set in place resulted in his job role being constrained, as he could not gain access to information and data he needed in order to carry out his job. He was then penalised for under performance at an appraisal. Following this he stated he felt a total sense of mistrust towards senior management and the company in general.

In this case this individual was made redundant by the company but had the relationship continued, he stated he would have happily jumped ship to a competitor.

Regardless of zero insider threat occurring in this case. It is still a useful example for companies to take note of. These are the realistic resulting implications from these types of models. Not only did it create a culture of mistrust within the organisation, it unfairly affected the employees ability to carry out their roles and even worse, resulted in employees being penalised for a poorly thought out security model.

It is already difficult enough for HR to convince employees that they are not constantly spied upon and monitored. This model promotes aggressive forms of monitoring employee interactions and virtual footprints. Regardless of whether people think this is a model in which employees earn trust and access or one in which they are just out rightly never trusted, either way this will be a nightmare for HR to manage. As I keep saying this must be an ALL IN approach for this model to actually work. Employee's would either have to be told upfront which could be very off putting in attracting talent, or they are left unaware until one day they find it and question what else the company has been hiding. What else they may have been unaware of the company doing, potentially igniting a similar case to that of Joanna Strange's.

We need to create programmes that are as liberating to an employee as they are protective to company IP and data. Having a constant reiteration throughout your working day that you are not trusted to access IP and data by your employer is going to do little to lead to this. We have to be honest with ourselves! Do you even know all your passwords to accounts or do you rely on Google remembering your passwords? Many of us use this function not just because it's hard to remember a million passwords, but simply because we are lazy! Again think of the reality of this model. Think how much data and information you access on a daily basis to carry out your role. Now imagine having to out your password in EVERY time. Then add up the additional time this will take spread across a year. In the realms of Human Capital Investment, we are very aware that every minute is valuable to both an employer and the employee. You also need to have your access verified and approved or denied, which means Cyber teams or IT are having to deal with every request hundreds of not thousands of times a day! Organisations will require new teams to keep up with the demands put upon them. Have the fans of this thought about the financial cost that would be involved to see this model through to maturity?

After a while many workers will tire of the demands put upon them and the lack of trust and look for other job opportunities, with companies who have adopted less aggressive approaches. This again brings around financial implications surrounding talent acquisition and retention. This model sounds great but could potentially be extremely costly in reality.

4) It goes against human nature. and instincts.

Many theories, models and proposals for Insider threat all have one correlation. The mythological hope that we can "change our employees to fit our programmes". Organisations have to accept that humans have positive traits and negative traits. Depending on external factors these traits can be exacerbated. As the WeWork case showed, we all have the same emotions and reactions. We all get angry, we all feel hurt over rejection or loss. We can all become a threat when we feel threatened.

When it comes to trust, as humans we are naturally trusting animals and we expect our trust to be reciprocated. We excel because of our ability to manage our trust in others. We have to be able to trust in our ideas and gut feelings to be successful in business. Where does "Zero trust" help to encourage this? It doesn’t.

You cannot change human behaviours. You can try all you want, but any change will only ever be short lived and temporary. Working out ways to predict human behaviours would be a much more beneficial method to use for all organisations. Many Insider threat cases can be proven to be motivated and caused by the organisation themselves. Unless your organisation can truly and realistically self reflect, hidden risks will remain hidden and insider threats will keep rising.

A time old saying in relationships tells us, the more you accuse a person of cheating or lying the more likely they are of carrying out such actions. With the justification that if your accused constantly you may as well break the rules! If we are susceptible in our own personal relationships. This will be magnified in a job role we feel little loyalty and trust in return from. We continually preach the phrase "there is no relationship without trust" this has to be taken into account when implementing a model such as this. As I said before you reap what you sow.

I worry that this type of model will lead to a culture of cover ups and lies, as people are fearful of losing jobs, or not gaining the level of trust they feel they are entitled too, or simply not wanting to give a high level of loyalty to something they visibly do not receive in return.

5) It will lead to over reliance and dependency on Cyber, bringing about risks to imbalance amongst key stakeholders.

As always with tech we all become quickly reliant on "the machines" doing their jobs so we can get on with our much easier lives! However, if the organisation adopts "Zero Trust" the already weakest link in the Insider threat team will end up underperforming in their role massively. HR are already on the whole rather risk adverse and by tradition the total opposite in skillset to a proficient risk manager.

To create and run effective insider threat programmes you need strong key stakeholders all collaborating together as a risk board for the company. Each using their own skill set and insight to create and motivate proactive, preventative and reactive programmes.

There are many Insider threats that "Zero Trust" will not be able to deal with in practical life. I'm not sure how well the model will stand up to a disgruntled employee going on a rampage and killing a HR manager in their home. This case happened in France earlier this year. A man was arrested after killing three HR workers after he was sacked form his job. The killings took place over a four day period as he drove around hunting them down.

https://www.google.com/amp/s/www.bbc.com/news/amp/world-europe-55854459

How does the "zero trust" model prevent these cases happening again? Simple answer, it can't. You cannot suppress public information, therefore, regardless of suppressing internal data, the actor will always find a way to execute their actions.

This case clearly shows that suppression and restriction of access and information, doesn’t solve the problems, it creates actors to find alternate methods or opportunities,

It's worth remembering that even the Silicon Valley giants have recently received immense backlash from users and Service Providers and many senators, in a stance against their decision to suppress users accounts, data and information. Suppression and data violations rank at the top of all reasons for motivating ex employees to leave these companies.

This is not the first time. In 2018, the Cambridge Analytica scandal shone light on the potential corruption between silicon valley, data sales and voting laws. Risks are everywhere but they come from both sides of the agreement. Yes an employee could become an insider threat, but with this type of model the company itself could easily become corrupt in its ability and position of power over employees. All risks must be considered before committing to such a model. This case also showed the impact of risks within companies can have devastating consequences, even undermining confidence in governments and politics.

I also predict that under this proposed security model, Cyber will become the new owner of the insider threat programme and the scapegoat. Employees will become disconnected and even potentially hostile if they are constantly seen as a barrier or negative restricting force.

In summary.

Any solution that a company seeks to adopt or include as a method to reduce risk needs to be thought through properly. Any planning for workforces today has to encourage and mould the workforce of the future. Organisations need to be more long sighted rather than seeking short term solutions. They must become more self reflective and seek to understand the next generation of manpower before adopting systems that will end up affecting them.