Skip to main content

ZTA – A Jungian Approach

Written by Morgan Reece on . Posted in CyberSecurity, Featured.

In my experience in defining, designing, and implementing Zero Trust Architectures, I have come to the conclusion that every deployment has its own unique personality. What this looks like in practice is that there is an art to ZTA that is not completely understood by most people. One of the first steps/phases in a ZTA ‘journey’ is to identify & understand the protect surface. This requires an in-depth review of your own environment. I look to a quote from 20th Century psychiatrist Carl Jung as a guiding principle.

“Who looks outside, dreams; who looks inside, awakes.” – Carl Jung

Both points of view are necessary. To dream is to perceive the future. It is to understand the journey your security teams needs to travel. To awake, a leader comes to terms and understands where their security team currently succeeds and fails. The dream is to perceive what a full Zero Trust Architecture deployment/implementation would look like in their environment. To some extent, to successfully build a ZTA environment, your first have to ‘dream’ about your ZTA deployment, and then ‘awake’ to the reality of your present situation. I have led a number of teams through the ‘dreaming’ as well as the ‘awaking’ of ZTA. The art of the architecture is when you are able to find the path between what exists and what their ZTA needs to be.

The assessment is critical to the success of a ZTA implementation. The assessment is a snapshot of what the current environment looks like and how it operates. The biggest challenge of the assessment is the number of people that need to be involved to get a clear and realistic picture of the Tactics, Techniques, and Procedures that the IT and Security team follows. Having a holistic view of the operations and architecture is imperative to the successful interview and mapping of the current state of the environment.

Either internal or external, make sure that you have the right people on both sides of the table. To represent the current state, you need to have the people who can answer what the world truly looks like presently, not what the CIO/CISO ‘believe’ to be true. On the other side of the table, you need individuals who are knowledgeable of all aspects of IT as well as how to successfully implement a ZTA environment. Without the proper ZTA knowledge, they will not be able to ask the right questions about the current state and then advise on how to travel the ‘journey’ to ZTA.

Identity is not the new Perimeter!

Written by Morgan Reece on . Posted in CyberSecurity.

A few years ago, we all were bombarded by marketing campaigns from identity management (IDM) software vendors stating that the “Identity is the new Perimeter.” While that sounds good and sells well to CISOs and CIOs, it is a little simplistic and misleading. I believe that identity is just a small part of what can be considered the “new security perimeter.”

We know that the weakest link in the cybersecurity chain for any company is its users.  Attackers know that they can socially engineer users and get them to divulge credentials or download malware from compromised websites. IT security teams continue to deploy protection software to prevent users and systems from being harmed from mistakes made by users. For many organizations, a significant percentage of the IT security budget is dedicated to simply trying to protect the company from human error.   

The reality is that the “new perimeter” is comprised of a holistic view that combines identity, system or device, network, applications, and data.  If you focus on just one—or even a few—of  these pillars, it can provide a false sense of security. You may successfully monitor and protect the pillar or pillars you’re paying attention to and still end up compromised. If any aspect of this holistic “perimeter” is exploited, the attacker has a fairly easy path to a full-blown breach where all aspects are compromised.

Too many CISOs define their cybersecurity strategy by checking boxes for regulatory requirements of the different agencies that audit their environment. While compliance to regulatory frameworks like Sarbanes-Oxley (SOX), Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI-DSS), and other mandates is required and can be expensive if not adhered to, the simple fact is that compliance is not security.  Chasing regulatory checklists is not a strategy, but a recipe for disaster leading to a breach. 

Holistic or aggregate security considers a broader view of the environment when defining the cybersecurity strategy and selecting tools and processes. Aggregate security focuses on making sure that protections of each object (identity, system, data, application, etc.) are integrated with the others.  For example, when strange or malicious behavior is detected on the network, that is a red flag that should impact the system, identity, data, and application security posture. 

The push for a holistic approach is also evident in merger and acquisition activity in the security industry. There has been a movement in recent years to try and integrate different layers of security.  We have seen vendors buy up smaller point solution vendors and roll everything together so they can say they have a “holistic” security solution.  The challenge, however, is in successfully and seamlessly integrating the different solutions. Do they really share information across each layer or application to provide a robust security platform?  Success in this area is few and far between. 

The latest trend in security frameworks is secure access service edge (SASE) and zero trust architecture (ZTA).  I am a huge advocate of both these movements and see great promise in these new innovations.  But neither will solve the silo solution that I am seeing if the security teams are not able to integrate their solutions to take advantage of shared information across all the pillars.  Having an aggregate security mindset is critical to delivering a full-scoped solution. 

Identity is not the new perimeter. It is one facet of a comprehensive security posture. The new perimeter is not a perimeter at all but a mindset that views aggregate security across all pillars of the environment.