Zero Trust vs Full Trust

#SimplifyWithSourabh?Post#4: Zero Trust vs Full Trust

Off late, you must have heard about Zero Trust. And I grew up in an environment which encourages trust. As a leader, as a solution architect, and as a family member, we are told and firmly believe to become a trusted advisor. Isn’t this a paradox? Personally, this tussle between "Trust & Zero Trust" had been on my mind for the last few months. This article is just portraying my thoughts about so-appearing contradictory ideas.

Firstly – what is this Zero Trust? Zero trust is a security model that assumes no connection can be trusted, even if the user or account was previously authenticated. As per NIST, Zero Trust (ZT) is the term for an evolving set of cybersecurity paradigms that move defences from static, network-based perimeters to focus on users, assets, and resources. With the changing IT landscape with remote users, bring your own device (BYOD), and cloud-based assets, perimeter-based security is no longer adequate. Zero Trust focuses on protecting resources (assets, services, workflows, network accounts, etc.), not network segments. This cybersecurity paradigm concentrates on resource protection and the premise that trust is never granted implicitly but must be continually evaluated.

Secondly, let’s understand “Trust” a bit more. Merriam-Webster Dictionary defines trust as assured reliance on the character, ability, strength, or truth of someone or somebody. In day-to-day life, trust plays an essential factor. As a child, you trust your parents. As an employee, you trust your leaders and their guidance. The company trusts you to deliver what your role is tasked with. As a customer, you trust the provider for the products or services you pay. Every aspect, every decision relies on this thing called “trust”. Specifically in leadership, I believe trust is the most crucial factor for building a team. One can connect, one may have the capability, but if the leader lacks trust, the team won’t align. As leadership can be learnt, building trust can be learnt too. Stephen Covey explains this very nicely in his book “Speed of Trust” which comes by consistency.

When trust is so much important, the discussion on “Zero Trust” would obviously cause doubts. However, we need to separate these into two different planes. If you engage with your team with suspicion and evaluate at every juncture, the relationship may not flourish. You may not achieve the desired results. At the same time, if you are blindly trusting anyone, you may be the loser again. Like everything in life, it is not black or white. Initially, it may take some time to know the person. But once the trust is established, you can continue your engagement seamlessly and both flourishes. But this is not true in the IT world (read virtual world) where anyone can hack your credentials and pose like the original.

I feel the difference is between the person and the persona. When you are engaging with a known person, trust is a key factor for success. When we engage with a persona, we need to find the authenticity behind that known mask. In the IT landscape, we have personas with different login and access details. Moreover, with Edge and IOT, even IT assets are having their own personas capable of doing the required tasks. Hence, it becomes critical to continuously need to check and verify the persona and the actions it is performing.

As a human, I believe in trust. As a leader, I typically go with the trust of people – including the team, colleagues and customers. However, in the cyber world, I won’t assume implicit trust granted to assets or user accounts, based solely on their physical or network location or based on asset ownership. I will prefer to follow the principle of “never trust, always verify” which is nothing but Zero Trust.

Hope you enjoyed reading this article. I would like to know your view on this. Please do comment if you agree, disagree, or want to expand.?

This post is part of the series?#SimplifyWithSourabh. The idea for this initiative came from my friends and colleagues who wanted me to share some bytes from my experience.?#SimplifyWithSourabh?includes posts based on my experience where I try to simplify a concept related to life or technology. The views mentioned are my own.

This article is also a part of an initiative in the group?Soltech, Recognizing enterprising technophiles across the cloud. I would encourage all the technophiles to join the group for more relevant feeds.