Completing The Zero Trust model

Image for post
Image for post
Is The Zero Trust Model Truly “Zero Trust”?

I think we’re missing something from the current Zero Trust models.

For the most part, they are consistent and follow the same pattern:

Verify Users

Verify Devices

Verify Networks

Verify Applications and in some instances,

Verify Data

What about “Verify Environment” as a first step? Interestingly enough, this is not enforceable through technical controls. Sure, there are controls like locks, doors, gates, guards, proximity card readers, and so on, but ultimately it comes down to how we secure the environment in which we leverage the Zero Trust Model.

If we can gain access to the environment in which the rest occurs, we may be able to circumvent some of these controls. Sure, the additional layers can mitigate a lot of issues such as plugging in an untrusted device and so on, but the weakest link may be how we conduct ourselves. Passwords written down, systems left unlocked for extended periods, sensitive data left on printers or portable media. It doesn’t always have to be a malicious outsider; one of “The Hoodies”. The two other threat actors are malicious insiders and well-intended insiders.

Not every threat is to our data, but perhaps access to it. Sabotage or other physical damage and theft can have a significant impact on downtime, loss of access, and more.

It’s a greasy one to answer, I’ll admit, but my point is that we should also “Verify Environment” for the safety of ourselves and our systems and data.

Thoughts?

Stay safe out there!

Aspiring CISO. Cyber Entertainer, Writer, and Presenter. Humanity, not machinery. An observer of how we use and abuse technology. Empathetic and altruistic.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store