I was reading an interesting article: Forrester Pushes ‘Zero Trust’ Model For Security, where they mainly claim that you should not trust your internal network – something I am asking for since a long time. However, the conclusions Forrester and me are drawing are slightly different. John Kindervag – the person quoted in the article – claims that you have to do a deep inspection of the network in order to resolve the problem. I disagree for different reasons:
- Privacy: In some countries it might be considered as an invasion of the privacy of an employee if you start to do in-depth analysis of the IP-traffic. It will get even worse if you store it.
- It might simply be impossible because of the sheer amount of data you have to store and analyze.
- What about encrypted traffic?
To me, there are other approaches we have to consider. First and foremost – and there we still agree – we have to realize and internalize that our network is untrusted or even worse that the Internet is our network. There is no such thing like “internal†and “external†anymore. This is consequences and if you take consumerization of IT into your equation it will get worse. By that I mean the trend that end-users are bringing more and more private devices into our networks to do their job (or who took really a strategic decision to have the iPhone or an iPad in your network?). End-users started to take IT strategy decisions!
What can we do with that? How do we do risk management in such an environment. There is definitely a vision we have to work towards, which is called End to End Trust. Actually Scott Charney wrote a very good paper on that: Establishing End to End Trust. However, that’s a vision – what can you do now?
- Accept the facts above.
- Authenticate not only users, but devices as well. Implement IPSec Authentication. You can look at this here: Server and Domain Isolation.
- Based on that implement Network Access Protection. This allows you to decide whether the devices your information is sitting on are policy compliant.
Like that you can at least enforce that the devices you talk to are policy compliant. What about your information now? How can you implement data classification? You can mark the information in different ways: Flag them, have them in specialized folders, encrypt them, etc. What about the problem that the information leaves the environment it is protected? We need a persistent protection of the information you are dealing with. That’s the reason I really like Rights Management Services and have a hard time understating, why it is not used more often.
And last but definitely not least we need to focus more on managing users instead of devices. To be able to do this, we need sound identity management. This starts with processes (how do you get rid of a user-account if the user get’s laid off? I mean all the user accounts including the cloud-based ones) and technology can definitely support you on that way.
Would this solve your problems? No, but it would definitely significantly reduce the risks. It is all about Risk Management – no?
Roger