In implementing Zero Trust there are challenges with an inward facing cyber strategy that doesn’t include external connections.

Background

In looking at the upcoming transition to Zero Trust for US Government agencies, their contractors, and sub-contractors, organisations are confronted with determining how to protect what’s valued and challenging old conventions. This is good – albeit difficult to execute – for organizational security departments are a small piece of the digital landscape. Zero Trust will be likely be difficult to interpret internally, with even further limitations of understanding on how to implement externally. The following areas are of concern.

Connectivity: Internally, Zero Trust is an ideal concept for mapping out an organisation’s internal landscape. This vital information has often been previously siloed or in segmented components run by different subcomponents. This applies not only to tech and data, but also to process/ risk/ controls with controls often tied to one risk segment, whilst ignoring others which either weren’t part of the consideration when developed, or more likely not the responsibility of those who owned the control.

Externally, where an organisation connects with clients and suppliers is still fuzzy territory, as responsibility is shared – or not. Liability and contract renegotiation is some of the reasoning, also part of why there is a breakdown at the seams between organisations, in incident response, shared services, etc. If there is no central managing authority, there is no sense of who has decision-making authority/ responsibility. With many understandably keen to absolve themselves of responsibility for items they haven’t firm control over, there is no firm connection.

Communications: Internal communication within an organisation is dependent in part on scale. A global organisation may have regional communications circles. Where it starts breaking down – aside from organizational politics – is the divergence of perceived functions. It’s simpler to determine geographic second-order (who works in the same office/ country/ area) than orders based on functional dependencies (knowing who you are dependent on is simple, knowing who they are dependent on is slightly more difficult, knowing further dependencies gets very complicated). When mapping out organisations, considering layers – similar to geographic digital maps – is helpful. Connections otherwise unseen are more apparent when you start to layer the different data sets, making the communications breakdown less insane.

Externally, two parts stand out in communications between businesses: information sharing and points of contact. Challenges abound with both. Information sharing arrangements often taking the form of consumption rather than offering tends to limit the value add: too few are adding. The other issue is the sector nature of information sharing groups, which helps in some regard, but limits the direct connections or vested interests of clients and vendors directly attached to the organisation. Points of contact offer direct connections between organisations, but are often exactly as stated – singular points. Those points are often not responsible for information sharing or incident response, rather the sales/ support/ purchasing agent, or along those lines. They may have contacts elsewhere – but establishing communications as a conduit takes time and should be done well prior to an incident occurring.

Culture: Much of connectivity and communications, both internal and external, are dependent on culture – the most difficult focal point to determine/ interpret/ adjust. Understanding how the organisation views the various interdependencies from an internal/ external perspective will be vital in how to build Zero Trust into your cyber landscape. Honest enquiry and response are needed, with significant time and resources allocated.

Without going into questions on how Zero Trust will be implemented in the digital infrastructure (Zero Trust DNS servers, anyone?), or how we will determine degrees of success (attestation/ independent confirmation/ authentication requirements), recognise our time is limited. Ten years seems like a long time, but will pass in moments as we have many interpretations to build/ fail/ rebuild/ rinse/ repeat. The whole exercise is about trust.

Trust is acceptance of risk. It seems Zero Trust requires more trust than ever before.

-scl