Why applying the concepts of zero trust broadly to employees is a dangerous mistake for cybersecurity programs.
This article was originally published on the Forbes Technology Council.
â
Weâve arrived at the point in the story where Dr. Seuss is about to reveal the moral. You know, that familiar parable where we all latch on to the idea of âzero trustâ and start applying it everywhere, then all of a sudden we no longer trust anyone or anything and everyone is isolated within their own lonely bubbleâthen the story breaks with a cliff hanger and weâre left to consider the meaning of it all as our tongue unwinds.
â
Over the last 10 years, weâve watched a ridiculous perversion of the ideals of zero trust unfold. Starting from the very real and meaningful lessons learned from the Operation Aurora attacks at Google, the cybersecurity machine has charged relentlessly down the path of zero trust. At the start, there were some real improvements: donât extend trust based on the network locality; use a strong source of authentication; validate context of request; authenticate every request; authorize every request. Essentially, donât take shortcuts when it comes to authentication and authorization. Good stuff and makes sense. Frankly, a real improvement for all of us. Gone were the days of wondering why we couldnât access systems across the internet. The authentication and authorization steps would be robust enough to handle a request from a coffee shop and a request from the terminal in the data centerâand not assume one is more trusted than the other because of its origin.Â
â
But then, things changedâthe zero trust message was selling and the audience was ripe to receive. Iâm not one to overly generalize the security community but if I were, the word âcynicalâ might come to mind. The message of zero trust became an excuse for a generally distrustful disposition. Quickly, the narrative became all-inclusive:
â
Can I integrate an open-source package into our product? No! Zero trust!
Can I use the hotel wifi? No! Zero trust!
Can I use this mail plugin? No! Zero trust!
Can I access corporate mail without a VPN? No! Zero trust! (See what happened there?)
â
The other day I saw a security practitionerâs comment on LinkedIn: âWhen we started talking about Zero Trust, the premise was that the human as a control was no more to be âtrustedâ than your antivirus program or that web content filter.âÂ
â
Itâs not really the same definition or origin story of zero trust as found on any trusted reference sourceâbut it is a great example of how easily the phrase is used and co-opted.Â
â
Using zero trust as a guiding philosophy for authentication is a great strategy, but applying it broadly to employees is a big mistake. It is completely fair (and very necessary!) to design a program where an employee is not solely responsible for the security of your organization, but it would be a huge mistake to design a program where an employee cannot add to the security of your organization. When employees feel their choices have been constrained, or that they are being controlled (even for benevolent reasons), they start to push backâsee the psychological principle of âreactance.â Many cybersecurity controls already cross this line (âthis website has been blocked by your IT administratorâ) and overextending the misappropriated idea of zero trust exacerbates the problem. Â
â
The ideal we should be aiming for is a scenario where we can engage with employees to improve security outcomes. This has been well-practiced by organizations like Yahoo, where they established a security program that effectively engages their employees to improve the organizationâs cybersecurity posture. The driving philosophy behind this approach is to avoid presenting their employees with âimpossible questionsâ (Does this website have malware?) and instead focus on meaningful incremental improvements (Can you store this password in our corporate password management system?).Â
â
At any organization, humans are our most valuable resource. Even when weâre young, we can do things computers simply cannot. Security leaders would be wise to remember that fact. Rather than wrongly apply the concepts of zero trust to our employees and become the moral of the Dr. Seuss story, itâs time for us to trust them to be the upside in our cybersecurity programs.