Implementor Tips for Zero Trust: Insights from George Finney
George Finney, Chief Security Officer at Southern Methodist University and author of "Project Zero Trust," will join Mirantis’ Jason James, Director of Security, and John Jainschigg, Director of Open Source Initiatives, on September 21st, 2023 at 12pm PST / 3pm ET in a webinar titled Zero Trust for Implementors: Insights from a Pioneer’s Playbook.
To prepare for that conversation, here are seven key insights from George’s thought on Zero Trust, aimed at implementors. For a deeper dive, please read George’s book – a successful combination of thriller and technical manual, showing the personalities and processes involved in a Zero Trust implementation.
1. Trust is a Vulnerability
In the world of cybersecurity, trust is not a strength but a vulnerability. Attackers exploit trust relationships within digital systems to gain unauthorized access. Finney emphasizes that recognizing and eliminating these trust relationships is a crucial step in implementing Zero Trust.
2. Understand Your Business
Zero Trust is not just about technology; it's about aligning security with business needs. Understanding your business and its specific requirements is foundational to your Zero Trust strategy. This understanding will guide your approach and help you tailor your security measures to your organization's unique needs.
3. Adopt a Repeatable Design Methodology
Implementing Zero Trust requires a systematic and repeatable approach. Finney suggests a design methodology that includes defining protect surfaces, understanding your transaction flows, architecting controls, designing policies using the Kipling method (see below), and monitoring and maintaining the system. This structured approach ensures that your Zero Trust implementation is comprehensive and effective.
4. Embrace the Complexity of Cloud Environments
Cloud environments can add a layer of complexity to Zero Trust implementation. However, they also offer opportunities for enhanced security. Finney advises that understanding your cloud environment and having visibility into all traffic and activities is crucial – and this is rarely the case for public and private cloud estates, ‘out of box.’ While it may be challenging, it's essential to ensure that no unknown traffic is allowed, and all activities are logged and monitored.
5. Assemble an Interdisciplinary Team
Zero Trust implementation is not a one-person job. It requires a team with diverse expertise to spot and eliminate trust relationships in digital systems. This team could include network engineers, developers, IT personnel, and security experts. An interdisciplinary team brings different perspectives and skills to the table, enhancing the effectiveness of your Zero Trust implementation.
6. Use the Kipling Method for Policy Design
Policy design is a critical aspect of Zero Trust. Finney recommends using the Kipling method (from the poem ‘I Keep Six Honest Serving Men,’ and long viewed as the foundation of journalistic inquiry), which involves asking the questions: who, what, when, where, how, and why to define policy.
7. People are the Most Important Part of Zero Trust
Finally, Finney emphasizes that the most important part of Zero Trust is the people who implement and live it every day. Security is not just about technology; it's about the people who use that technology. Ensuring that your team understands and is committed to the principles of Zero Trust is crucial for its successful implementation.
In conclusion, implementing Zero Trust requires a comprehensive understanding of your business, a systematic approach, an interdisciplinary team, and a focus on people. By building technical strategy around these touchstones, implementors can navigate the challenges of Zero Trust and enable effective security for applications and organizations.