Completing The Zero Trust model
I think we’re missing something from the current Zero Trust models.
For the most part, they are consistent and follow the same pattern:
Verify Users
Verify Devices
Verify Networks
Verify Applications and in some instances,
Verify Data
What about “Verify Environment” as a first step? Interestingly enough, this is not enforceable through technical controls. Sure, there are controls like locks, doors, gates, guards, proximity card readers, and so on, but ultimately it comes down to how we secure the environment in which we leverage the Zero Trust Model.
If we can gain access to the environment in which the rest occurs, we may be able to circumvent some of these controls. Sure, the additional layers can mitigate a lot of issues such as plugging in an untrusted device and so on, but the weakest link may be how we conduct ourselves. Passwords written down, systems left unlocked for extended periods, sensitive data left on printers or portable media. It doesn’t always have to be a malicious outsider; one of “The Hoodies”. The two other threat actors are malicious insiders and well-intended insiders.
Not every threat is to our data, but perhaps access to it. Sabotage or other physical damage and theft can have a significant impact on downtime, loss of access, and more.
It’s a greasy one to answer, I’ll admit, but my point is that we should also “Verify Environment” for the safety of ourselves and our systems and data.
Thoughts?
Stay safe out there!
