One of the biggest roadblocks to effective IT is a lack of understanding throughout the organization. At GCA, we often use analogies to explain complicated methodologies to non-technical stakeholders. With this approach, the key concepts can be easily grasped and technical details like “Layer 7 Security” can be reserved for technical discussions. In this example, we’ll use a Rolling Stones concert to demonstrate zero trust in a way that is accessible to everyone at your organization.
Concept #1: Assume Breach
The reality of cybersecurity is that hackers are everywhere. No matter what technology you own or how brilliant your IT team is, malicious actors are likely already on your network.
When the Rolling Stones put on a concert, they will rent out a stadium, put up fences, hire security and lock back doors. This helps ensure only people who purchased tickets can get into the concert. For the most part, these security measures work.
Unfortunately, at a concert with more than 50,000 ticket holders, it’s safe to assume that some security guards are letting in their friends for free, or the sound guy brought his girlfriend. Some people may have even managed to hop the fence unnoticed or even hidden out the night before security came to set up.
This is what it means to “assume breach” in IT. Regardless of your security protocols, it’s impossible to guarantee nothing slips through.
Concept #2: Protect Surface
A protection surface is like your most valuable asset. At a Rolling Stones concert, the protection surface is the band members—without them, there is no concert.
We’ve already assumed people without tickets may have snuck past security. But threats can come from ticket holders too.
For example, in the NSA breach, Edward Snowden was an approved employee who turned out to be a malicious actor.
Security shouldn’t let anyone near the performers while they’re on stage, even if they have a ticket. We shouldn’t trust anyone at this concert; that’s where the name “zero trust” comes in.
Concept #3: Micro Perimeter
We’ve already established our most important asset: the band. We know we need to protect them, but we haven’t developed a strategy. That’s where a micro perimeter comes in.
A micro perimeter is a set of rules or policies that secure the protection surface. At the concert, the perimeter will primarily be in the form of security staff. We will keep a security team with the band at every step they go, traveling alongside them. We might have a policy which states, “Unless on stage, each band member must have two security staff members within 10 feet at all times.” Or another policy: “Aside from other band members, nobody is allowed to approach a band member.”
Assuming breach and establishing protection surfaces with micro perimeters is zero trust at a high level. It represents a paradigm shift for organizations that still use the old “castle wall” mentality (where all protection occurs at the perimeter). Zero trust is the reality-based approach of assuming the castle wall isn’t perfect and focusing efforts on protecting the organization’s most important assets. At the concert, if a fence is knocked over or a few drinks are stolen they can live with that—as long as the most important asset, the band, is protected.
GCA Can Help You Adopt Zero Trust
GCA can help you take the first steps to identify what would hurt your organization if malicious actors gained access to it. This is everything from PII (personally identifiable information) to IP (Intellectual Property).
Once we have established what needs to be protected, the next step is to figure out who, when, and how people should access sensitive information. This step is when the more technical architecture comes into play and where experienced technical experts can help.