Earlier this month, president of RSA, Rohit Ghai, opened the RSA Conference in San Francisco with some stirring words about understanding the trust landscape. The talk is both encouraging and depressing, for what it offers and for how far we have yet to go to realize this vision completely. Let me explain my point of view.
Back in the day, we had the now-naïve notion that defending a perimeter was sufficient. If you were “inside” (however defined), you were automatically trusted. Or once you authenticated yourself, you were then trusted. It was a binary decision: in or out. Today, there is nothing completely inside and trusted anymore. It is all shades of grey. So, cybersecurity means evaluating who and what is trusted on a continuous basis. Ironically, to appreciate these shades of grey, we have to work a lot harder before we can trust our computers, apps and devices.
Part of the challenge is that the world has become a lot more complicated. How many of us accept the following activities as part of our normal activities?
- Telling your credit card company when you will be out of the country is now part of a pre-trip routine.
- Questioning when asked to provide our SSN or street address. Remember when some of us had them printed on our checks?
- When signing up for a new website and providing a “fake” birthday. While this is a more secure posture, it is also somewhat annoying when this date rolls around on the calendar and those congratulatory notes come in.
- More routine use of Multi-factor Authentication (MFA) sign-ons. Without MFA, I might consider taking my business elsewhere.
- Accepting the extra steps of using a VPN when roaming around on public Wi-Fi networks as part of the normal connection process.
Like Rohit, I have begun “to obsess about the trust landscape.” I think we all know what he means. He spoke about managing various risks, which means assessment about the likelihood of particular digital compromises to our networks, our endpoints and our lives. “It must become our new normal,” he said during this keynote.
But what does this really imply? That we can’t trust anyone or anything anymore? That is where the depression sets in. Some vendors have tried to make lemonade out of these lemons by promoting what they call a “zero trust” model. You might think this is a new term, but you would be wrong. It has been around since 2010, when then-Forrester analyst John Kindervag first created the notion. The idea is simple: no one is granted any access until they can prove their identity. In that paper, he mentions that when Bugsy Siegel built Vegas, he built the town first, and then the roads. In IT, too often we first go for the infrastructure before we understand the apps that will be running on it.
Here is a better idea: RSA CTO Dr. Zulfikar Ramzan, advocates replacing the zero trust model with one focusing on managing zero risk. Doing so gets IT staffs to examine what is really important: identifying and securing key IT assets and data, as well as third parties. He mentioned in this video interview that “if digital transformation is the rocket ship, then trust has to be the fuel for that rocket ship.”
Using this zero-risk model changes the conversation from building roads to looking more carefully at the business itself: what apps are needed to deliver business services; how will proprietary data be stored and protected; and who will have access to what based on the business? How many of you can certify with complete confidence that every user in your Active Directory is still a legitimate and current employee?
Tom Wolfe wrote in his 1987 novel, The Bonfire of the Vanities, about a concept called “the favor bank.” This means we all make deposits, as favors, in the hopes of making future withdrawals when we need them. Rohit used a variation in his keynote that he called the “reputation bank,” where companies make deposits of trustworthy moments, to balance those dark times when they make withdrawals. I like the concept because it gets across that trust is a two-way street. I will give up my email to you, if I get some benefit to me. The vendors that make deposits to their reputation bank will earn interest and our trust; those that lie about their privacy policies will overdraw their accounts.
To conclude things, I turn to that great security authority, Billy Joel, who once said it best:
It took a lot for you to not lose your faith in this world
I can't offer you proof
But you're going to face a moment of truth ...
It only is a matter of trust.
This post was sponsored by RSA, but the opinions are my own and do not necessarily represent RSA’s positions or strategies.
# # #
David Strom is an independent writer and expert with decades of knowledge on the B2B technology market, including: network computing, computer hardware and security markets. Follow him @dstrom.