Welcome to the Talk Page for Having Zero Trust to Give: What should have been next? You can find additional resources here!
Abstract
Zero Trust generally means either “Zero Trust Network Access,” now a decade old, or it’s a sign that a vendor’s marketing team is behind on the buzzword-washing their content. What should Zero Trust have given us, and how do we apply it to the modern enterprise ecosystem to protect us from modern breaches?
Overview
When Zero Trust came to market in the wake of Operation Aurora, companies clamored to be the first to have a model that didn’t just trust end user requests because they were “on the network.” ZT became a synonym for “don’t trust end users” rather than the criticism of badly written apps and authentication protocols it should have been. Meanwhile, ransomware and other lateral-movement-based breaches have run amok in our ecosystems, as ZT principles were only applied unidirectionally against users, and rarely against the real weak link in the enterprise: the systems administrator and their tools.
Meanwhile, enterprises have morphed beyond the corporate data center, spreading first into the cloud, and then into SaaS, and the risks of badly designed and managed architectures have exploded a thousand-fold: from shadow and ill-managed SaaS to non-human identities at scale, both about to be aggravated by the impending explosion of fourth-party AI agents.
This talk will explore a model to think about ZT principles: from tight authentication that can’t be assumed by others to minimizing unused permissions, and everything in between, and examine how these principles should be applied to the varied ecosystems that a security team finds themselves supporting: from Cloud-native to Saas-Native, the cyborgification of the end-user and the addition of the AI employee.
Attendees will walk out of this talk with a simple and coherent mental model that they can apply to all systems they interact with, so they can evaluate whether the risks presented by those systems match their risk tolerance.
How to CISO relevant resources
- Refresh yourself on the core ZT principles with Handbook: Zero Trust Principles.
- Think about the various environments you have to deal with in Handbook: Environments.
- Think about the different ways that ZT principles affect those environments with Handbook: Applying Zero Trust Principles to a Cloud-Centric World.
- Worried about how administrative software violates the principles of Zero Trust?
More Reading
- Project Zero Trust: A Story about a Strategy for Aligning Security and the Business, George Finney
- Rise of the Machines: A Project Zero Trust Story, George Finney
Other Versions
- A variant of this talk was also given at the DOD Zero Trust Symposium under the title “Zero Trust Leadership: Small Changes, Big Outcomes”, at can be found here.