Agile Security Manifesto #3 - No Such Thing as a Trusted Network or Device

When haven’t we relied on some measure of trust in creating security systems and policies? Yet the number of controllable factors which establish trust are diminishing and becoming more and more transient.

    Who is a trusted user?
    What is a trusted network or device?
    How does a system establish and maintain the notion of trust?

These questions are harder to answer now more than ever because of explosive change occurring in the Enterprise environment. Economic conditions have forced consolidation, driven outsourcing of traditionally internal services, commoditized our data, pushed new services into production, and increased our tolerance for risk to allow us to effectively compete. Lost in that process is the traditional review, the clear definition of trust, and the loyalty that once drove behavior.   Trust implies some level of stability or consistency.  It is time to recognize reality - that era is gone.

Trust as a static concept overlaying the dynamic Enterprise is a security illusion. The world is moving too fast for that. Security must adapt to all the transient states that are part of Enterprise IT environment today. The jury is in. Static security has failed too many times and organizations are looking to respond to threats and adapt security policies in the time frames that actually deliver a defense. We now have to ask, where are your applications, users, data, and access points?  What devices are being used to access your data?

The organizations that thrive in the future will be dynamic across all of IT; why would anyone think that security will be exempt?  This will push CISO/CIO leaders to innovate their approach beyond compliance checklists and accountant views of security. The critical question remains -  how can an Enterprise operate securely in this dynamic world, without the traditional trust model? The answer lies in security automation and visibility, allowing organizations to respond to change in the time that “their” changes are happening versus days, weeks, later when it is too late. That means replacing the “trust” environment and its static reporting, operational blindness, and manual policy controls, with a “trust nothing” approach using real time visibility and security automation.

The tired “trust” approach looks like this picture. All is beautiful until you let the snow melt, see what really is there, and then want to look the other direction.

The “trust” coating like the snow in this picture

provides a false ‘veneer’ to what really  lies beneath.

Moving forward organizations must adjust their past practices to the reality that nothing truly should be trusted - not devices, files, computers, users, or content.  The only sustainable approach is a dynamic defense that is instrumented to your unique environment, always learning from the change, and  adapting security controls to be constantly relevant.

How agile is your security program? How have you responded to the failure of traditional security? What are you using for continuous security awareness?