“Implementing technological zero- trust only to your infrastructure is nothing short of a return to a compliance driven mindset. Ironically, this makes you non-compliant to today´s risks and threats”
Zero trust from a tech-giant perspective is fundamentally making your endpoints compliant to company policy and protocol to access your company network. Whether you have an on-premises solution, or a cloud based one, the principals are pretty much the same. This applies to both PC and mobile devises. When compliant, you can go about your business
However, this approach has a major risk attached to it. By making the endpoint compliant the tech-giants are making a metaphorical 127.0.0.1. In laymen’s term this is a loop back. In this case the loop is returning to the compliant era mindset. This for an obvious reason, they simply do not seem to care about the human perspective and does not apply behavioral science developing security software, in this case zero-trust. This in a time where the threat landscape of ransomware, complex viruses and simple passwords is on every cyber security agenda nowadays. This is in a time when they also are focused on building a digital ecosystem for the human.
Let´s put it in another way. Imagine a compliant endpoint as a car. It must meet security requirements to be allowed on the road. In this case it represents your infrastructure. But if the driver, your endpoint user, is a “caveman” with no knowledge how to drive the car, then the safety of the car is invalid. To fully benefit from a zero-trust implementation you need to educate your drivers, the user needs to understand how to operate the car safely. And for the humans to understand how to operate safe and secure, they need to have a zero-trust mindset. This is easier to implement than the technological software.
“The obvious flaw in implementing the zero-trust is the lack of human firewall patch management”
Besides zero-trust implementations for your endpoints, a patch management process is an absolute. But you also need, an often forgotten, a patch management strategy for your human firewalls is needed as well. The zero-trust model will crumble as the human firewall keeps clicking on cats, links in e-mails with the header “do not click” or using the internet for risky business. The endpoint is only compliant to the point where the unaware human turns it on and log on to the cyber space. Yes, it still can protect you from breaches to a point, the car can protect the driver to a certain level but is still a gateway to major trouble. You´re at least in for a bumpy ride. The human firewall, as your infrastructure, needs zero-trust installed, more a zero-trust mindset. The zero-trust compliant endpoint pauses, analyses and passes/rejects in relation to policy and control settings. To stand a serious fighting chance in this ongoing cyber war, the human firewall needs to stop, think, ask around before reacting. Zero-trust in two ends.
“One highly effective, and proven cyber security approach against threats in our time is an aware human turning in to a virtual human firewall at the frontline towards cyber security threats”
The patch management strategy when it comes to human firewalls is not a project to be ticked off on your agenda once a year. It is a process, a method. The method needs a level of reflection, something for the human firewall to relate to and then repeat it. The human firewall is the first line of defense. If patched effectively only then will the second line, the zero-trust software, act as a truly effective measure.