If I had a dollar for every time I encountered the phrase ‘zero trust,’ I would no longer be working at Cyolo. At every conference, in everyone’s LinkedIn feed, and across most security company blogs (including our own), zero trust is the idée du jour. There are so many bad examples of mis-used zero trust messaging, full of incredible claims or blatant misrepresentations. It’s enough to make this security marketer blush and shy away from even discussing this radioactive topic.
“Hackers don’t break in; they log-in” – Dedi Yarkoni, Cyolo co-founder and CTO
But zero trust is our best hope. Maybe even our only hope, as Christopher Mims opines in the Wall Street Journal. Mims points to the well-publicized breaches at Uber, Okta, Nvidia, Rockstar Games, and more to show how even well-funded tech companies can fall prey to the persistent attacks from teenagers.
While a simple concept, the difficulty is in the details and operating by zero trust principles is devilishly hard. Why?
- Humans are naturally trusting. We like to think the best of other people! Malcolm Gladwell writes at length about this in his book Talking to Strangers, but in short functional human society is not actually possible without trust. So, our communities developed ways to implicitly trust other people. As Mims writes, “It is, after all, easier to upgrade a computer than the human mind.”
- Path of least resistance. All things being equal, the easiest path becomes the default. Hard work is just that, hard. I know that I tend to work on other tasks, especially when there is a daunting item that needs to be completed. Similarly, the enablement of zero-trust in an organization “requires commitment from its most senior leaders and can ultimately necessitate what is essentially a gut renovation of its systems.” It’s no surprise that this work has been delayed!
- Complexity is the enemy of security. The only way to be fully secure is to deny all access. Ok, problem solved, let’s all go home. In reality, security teams deploy a dizzying array of tools to “create friction for users and employees, because security is always a balance between giving people the access they need and demanding that they prove their identity.” With work now being hard, it is unsurprising that people bypass the myriad of security controls they need to operate within.
So, since it is no longer acceptable to trust anyone or anything, it is time for us to extend this principle to our security vendors. Most security tools that help companies build a zero trust environment require a level of implicit trust from the organization to the supplier. In other words, for the security vendor to help, the company must trust them with more than their money, they also require their passwords. However, these security vendors are all staffed by people and as we have seen from breaches in the tech space (Okta, SolarWinds, Cisco, etc.), even security companies who should know better are susceptible to the tactics, techniques, and procedures (TTPs) that people fall victim to.
When Almog Apirion, co-founder and CEO of Cyolo, was a CISO, he would ask his security vendors, “Can you add yourself as a user in my system?” After filtering through their murky answers about how they would never do that, the truth emerged that they could, in theory, cause changes to his secure environment without his knowledge. This required him as a CISO to trust his vendors, breaking the zero trust model from the start.
Almog ultimately left his CISO job to create an access solution that offers true zero trust. Today, Cyolo offers Identity Based Access Control, deploying zero trust one authenticated user at a time. The architecture is purposely built to never retain or change the user’s system, so if Cyolo ever is breached, there will be no customer information available to a hacker.
At Cyolo, we insist that you do not trust us, and we are challenging the industry to live by our espoused values. If we are going to ask customers to pay us to support their zero trust journey, then we must live by those principles ourselves. No more marketing, it’s time to put our money where our mouth is.
And seriously, if someone wants to start paying me a dollar for every time zero trust is used in a security discussion, I used it 13 times in this short piece...