What Is Your Cybersecurity Paradigm?

Recently the topic of "Zero Trust" as a cybersecurity paradigm came up. This is a simple-seeming question which requires some context because a simple definition isn't really going to help you much.

Here is the simple definition: Zero Trust is a cybersecurity paradigm whose motto is 

Never trust, always verify.

This motto is snappy and short and clear at the high level. But once you try to imagine how you would implement this paradigm there are many questions, starting with "what's the practical definition of 'cybersecurity paradigm'"?

Your cybersecurity paradigm is your fundamental approach to cybersecurity. It underlies everything you do to maximize authorized access to your cyber resources while minimizing unauthorized access. It is usually so deeply ingrained and so pervasive that you aren't even aware of it. The most common cybersecurity paradigm we see is The Perimeter Paradigm: you build a virtual castle around your cyber resources and then patrol those battlements for all you are worth.

This paradigm is comforting for a few reasons. For one, it is an analog of physical security, which reduces the problem to one you have already solved. For another, it localizes your focus: you only have to defend the edges of your domain. This is the "trust" of "never trust, always verify: implicitly, this model trusts anyone who is within the walls. Once someone gets inside they face significantly fewer hurdles to unauthorized access, just as people who get through the security checkpoints are often lightly monitored thereafter.

The Perimeter Paradigm is so common, so natural-seeming that many people cannot imagine any other. But some people did: they imagined the Zero Trust paradigm. The Zero Trust paradigm doesn't trust the walls and doesn't feel that implicit trust is a good thing. Instead of a fortified perimeter, the Zero Trust paradigm has an "always authenticate" policy: you want to use a source or look at data? Then you have to prove that you have permission to do that each and every time you do it. This means that permissions are the focus because you want each account, whether assigned to a person or to software, to have only the permissions that they need to do their job. In practice, this means having roles instead of users and staying on top of who needs to do what. This is the "always verify" part of "never trust, always verify."

Should you consider using Zero Trust? That depends where you fall on the scale from "this is solution in search of a problem (because your perimeter is very effective)" to "God, yes (because the perimeter model isn't working for you)".

All the usual caveats apply, but we will list them just to make sure that you consider them:

• No abstract paradigm fits your situation perfectly; you are going to have a hybrid.
• Roles are great when they are perfectly defined and maintained; otherwise, not so much
• Defining roles requires a very deep understanding of your system as a whole
• You can't fix personnel problems with paradigms
• Changing paradigms won't help if you don't understand your threat environment

With those caveats in mind, you definitely should consider Zero Trust as a cybersecurity paradigm. At the very least you will be forced to reconsider your approach, which is very good in our business. At the very most you will find that you are putting time and effort where it needs to go and that your cybersecurity is both more effective and more cost-effective, which is where we all need to be.