The Price of Distrust
Zero Trust – The Case In Favour
I’m like Zero Trust models. It’s a robust design ethos and the granularity of response it offers is currently unparalleled. In an increasingly Cloud first (or only) world with evergreen SaaS services it’s an achievable technological goal, offering a response and mitigation to almost anything the world throws at your environment. It allows enhancements and adaptations to the ever-evolving threat landscape.
But...
I use Domain Driven Design approaches to work out the right tool for the job at hand. Where Zero Trust is being discussed I spend most of the initial engagement exploring whether it is right for the organisation and environment in question. Because Zero Trust is beautifully expansive, nuanced and granular. Or in other words it can be huge, complicated and complex. Poor implementations could leave you more vulnerable than before in exchange for a lot of time and money, a fairly bad equation. It’s not a beginners model and will take longer and cost more than you thought. And you’ll still get breached. One of the fundamental assumptions for Zero Trust adopters is “assume breach”, scant comfort for something you poured your teams hearts and minds into.
So why all the fuss?
Zero Trust is catchy, easy to market and plays neatly into the Fear, Uncertainty and Doubt (FUD) of cyber security. It is based around the ability to respond to unknown and future threats (zero days will feature). And it will help. Probably. When it’s matured. The other bonus is that it’s agnostic – no one vendor or solution can deliver Zero Trust implementation and there’s few products that can’t fit into it. So it doesn’t constrain your market choices. Or help you make investment decisions. You could buy everything.
There are problem statements and scenarios ideal for Zero Trust models that are hard to cope with using other approaches. Here’s some scenarios where Zero Trust might be right for you:
- A complex supply chain with direct access from 3rd party managed (or unmanaged) devices to data and services;
- The business model relies on effective collaboration with 3rd parties on sensitive data with a high risk of harm if compromised;
- The nature of the business is dynamic, notable shifts in behaviour within the environment may well occur in a standard planning cycle;
- Any shift in the pattern could indicate a tangible threat;
- Devices and services accessing data are disproportionately outside of the organisational sphere of control;
- Preventing legitimate business usage is potentially more harmful than a compromise.
Tick some or all of those boxes and you should definitely consider Zero Trust. There’s plenty more examples where it’s a good fit. But if the business doesn’t have those characteristics then you will get less value from the model. If the supply chain is simple, most business is conducted internally on managed assets and the nature of the work doesn’t experience dramatic shifts then there will be a simpler way of achieving a good level of cyber protection.
So what now…?
You’ll hear a lot about Zero Trust for the foreseeable future. Some folk are going to try and sell things off the back of it. So what should you do? Whoever proposes it, ask these questions:
- How does this model support the business strategy and organisational objectives?
- How much existing investment can work effectively in that model?
- How will adopting this allow our people to work effectively in an appropriately secure manner?
If you get good answers, then try it. If you don’t, take a step back and wait for better answers.
Nine23 provide Cyber Security solutions (OFFICIAL-Sensitive) that enable the frontline end-users in today’s workplace to use current technology, securely. Click here to find out more
Dan Patefield
Dan Patefield
Dan leads the techUK Cyber Security programme, having originally joined techUK in August 2017 as a Programme Manager working across the Cyber and Defence programmes. He is responsible for managing techUK's work across the cyber security eco-system, bringing industry together with key stakeholders across the public and private sectors. Dan also provides the industry secretariat for the Cyber Growth Partnership, the industry and Governmnet conduit for supporting growth across the sector. A key focus of his work is to strengthen the public-private partnership across cyber security to support further development of UK cyber security policy.
Before joining techUK he worked as Forum Lead for the Westminster eForum. In this role he had a focus on the technology and telecoms space, on issues ranging from Broadband and Mobile Infrastructure, the Internet of Things, Cyber Security, Data and diversity in tech. Dan has a BA in History from the University of Liverpool.
- Email:
- [email protected]
- Phone:
- 020 7331 2165
Jill Broom
Jill Broom
Jill is techUK’s Programme Manager for Cyber Security, working across the cyber eco-system to bring industry together with key stakeholders across the public and private sectors.
Prior to focusing in on techUK's cyber security work, Jill was also part of techUK's Central Government programme team, representing the supplier community of technology products and services to Whitehall departments.
Before joining techUK, Jill worked as a Senior Caseworker for an MP, advocating for local communities, businesses and individuals, so she is particularly committed to techUK’s vision of harnessing the power of technology to improve people’s lives. Jill is also an experienced editorial professional and has delivered copyediting and writing services for public-body and SME clients as well as publishers.
- Email:
- [email protected]
- Twitter:
- @honeybroom
- Website:
- www.techuk.org
- LinkedIn:
- https://www.linkedin.com/in/jill-broom-19aa824
Annie Collings
Annie Collings
Annie joined techUK as the Programme Manager for Cyber Security and Central Government in September 2023.
Prior to joining techUK, Annie worked as an Account Manager at PLMR Healthcomms, a specialist healthcare agency providing public affairs support to a wide range of medical technology clients. Annie also spent time as an Intern in an MPs constituency office and as an Intern at the Association of Independent Professionals and the Self-Employed.
Annie graduated from Nottingham Trent University, where she was an active member of the lacrosse society.
- Email:
- [email protected]
- Twitter:
- anniecollings24
- LinkedIn:
- https://www.linkedin.com/in/annie-collings-270150158/