If you ever read O’Reilly’s “Zero Trust Networks: Building Secure Systems in Untrusted Networks”, you may have noticed it reads more like a young-adult novel than it does their typical technical manuals. The concept of “zero-trust” has gained popularity. The idea behind zero-trust is pretty simple; rather than trusting anything or anyone by default, organizations should treat all users, applications, and devices as potential threats until they can be verified and authenticated with granular permission grants. In theory, this approach can help prevent attacks by limiting access to sensitive data and systems to only those who have a legitimate need for it. But how long is a piece of string? Biden put into place an executive order for all corporations to rearchitect their technical infrastructure to accommodate “zero-trust” design within 90 days… (or else.)
Shortly after Biden’s executive order, every compliance-as-a-service hustler and their mother jumped on the opportunity to fear-monger and scare-market their services to gullible companies who had never allocated any budget to security before, leading to an extortionist gold rush from murky MDM merchants and cyber-snake-oil marketers out for blood on the gravy train robberies.
People, not technology, are still the weakest link in cybersecurity, while the cost of paranoia can lead to excessive spending and resource waste, it’s impossible to eliminate all risks and balance trust and vigilance. One of the biggest problems with zero-trust is that it assumes that all security breaches are caused by external threats. In reality, a significant portion of cyber attacks are carried out by insiders – employees, contractors, or partners who already have access to sensitive data and systems. Security awareness and training are crucial for any security strategy, “zero-trust” or not. Ultimately, the key to effective cybersecurity is not to eliminate all risk, but to manage it.