Navigating Zero Trust Beyond Technical Discourse
A lot is talked about Zero Trust these days, but all too often it ends up getting embroiled in a discussion about aspects of technology or sets of principles. This is all great if you are in the industry and enjoy a technical debate. However, the language needs to be adjusted in order for other target audiences to understand.
So, if you are a board member, or someone who has to explain this to your non-security/technical colleagues, here is a simple way of explaining Zero Trust.
A business operates by:
Taking in a set of inputs (data, raw materials, strategy, requirements)
Running its business processes (data processing, manufacturing)
Produces an output (product or service)
So, let’s apply Zero Trust.
1. Understanding Inputs
At Step 1, we need to be sure the inputs are genuine, and have not been tampered with.
Applying Zero Trust, you need to understand all of your inputs:
Are the suppliers who they claim to be?
Are the goods/services what they are expected to be
How trustworthy are they?
If the trustworthiness or quality falls outside of some defined tolerance, reject the inputs.
2. Ensuring Trustworthy Processes
In Step 2, we need to be confident the business processes are operating in the way we expect.
There is no unauthorised tampering with the process (so the output is deficient or defective in some way)
The processes do not leak sensitive information (e.g., that could aid a competitor, or land us with a data breach prosecution)
Zero Trust is about building confidence these processes cannot be tampered with or unduly influenced by other processes. Assurance is used to verify the robustness of the process of building that confidence.
3. Demonstrating Trustworthy Outputs
In Step 3, we need to find a way to demonstrate the output is trustworthy in a way that customers can verify. For example, some form of trusted quality seal or risk management process such as:
Kite mark
Digital signature
3rd party assurance
The approach you take to Zero Trust is one part of the evidence.
Zero Trust in Three Steps
So, there you have it - Zero Trust in three steps.
Ensure you have a basis for trusting all business inputs.
Ensure your business processes are trustworthy.
Demonstrate the trustworthiness of your output.
How can Nexor help?
It turns out each of those steps is a little bit tricky, hence why there is a whole industry talking about Zero Trust principles, architectures, and models. If you need any help navigating your way through this, then please get in touch with Nexor. We would be delighted to assist.
About the author
Colin Robbins is a Principal Security Consultant, leading customer-funded research activities in secure interoperability and information exchange. He has specific technical interests in the Single Information Environment and Data Centric Security, as well as the processes of security, such as Secure by Design and Information Security Management Systems (ISMS). He is a Fellow of CIISec, and a former NCSC certified Security and Information Risk Adviser (Lead CCP).