The 0.1.2: August Edition

Stepping off the patch treadmill, watching the watchmen, and ice cream

While much of the world enjoys summer vacation, many of us in the information security space are heading to Las Vegas for the combination of BSides, Black Hat, and DEF CON – familiarly known as Hacker Summer Camp. Given that approximately 100% of summertime activities in Vegas are indoors, please don’t build any campfires while you’re there. But you can still get your s’mores fix with a cool treat from Ben & Jerry’s, a scoop of which would pair nicely with this newsletter.

To receive future editions of this this newsletter via email, subscribe here.

---

News

Authenticating the Authenticators (AKA “who watches the watchmen?”)

I recently authored a guest blog for the Cloud Security Alliance, in which I pose a thought experiment: What happens if our authentication system is compromised? How could we use additional security context to better validate actors attempting to access data or applications?

Don’t Patch. Hide.

Inspired by the umpteenth recent widely-publicized VPN vulnerability, I make a perhaps radical recommendation: rather than remaining on the exhausting reactive patch treadmill, take a different approach, and use a Zero Trust architecture to hide these vulnerable systems from attackers. Read the full blog post here .

Microsoft Entra Announcement

The crowded and noisy Security Service Edge (SSE) vendor space just got a little more crowded and noisier, with Microsoft’s announcement of Entra Internet Access (their Secure Web Gateway) and Entra Private Access (their Zero Trust Network Access offering). See our perspectives on this in our video blog here.

 Zero Trust in 3: State of Zero Trust

Finally, for those of you who are pressed for time, we’re pleased to introduce our first Zero Trust in 3 video, giving you insight and information in 3 short minutes. In this episode, we recap the State of Zero Trust survey.r prep work is required, and the report will provide you with guidance along each of the five Zero Trust Maturity Model pillars.

---

On a recent business trip to California I needed to rent a car, and I found the most affordable car rental option was actually an electric vehicle. I thought “this will be fun”, since I’d never driven an electric car. 
And it was fun! My rented Chevy Bolt had some nice pep and excellent technology, and was pleasantly quiet to drive. Even the inevitable traffic jams were made more tolerable by the quiet ride, accompanied by some mellow satellite radio jazz.

Except…my hotel didn’t have any EV chargers, and the closest station was a good half-mile away. So, I had to park the car there when I could, and walk back and forth to the hotel. And I couldn’t leave the car charging overnight, due to my early morning flight. While I wasn’t worried about running out of battery, I was unable to fully charge the car before returning it. 

Overall, despite the fun aspects, it was a bad user experience. I was inconvenienced by the distant parking location, and had to pay an outrageous fee to the unsympathetic rental car agency. In retrospect, given the constraints of my situation and the financial penalty for not doing so, renting a gas-powered car would have been a much better choice.

I feel that sometimes in our information security world, we get too enamored with security technology, and neglect to think through the impacts it has on user experience. I get it–security technology, especially modern platforms and tools–can be fun to evaluate, and satisfying to deploy. But, until and unless we work to fully understand how any changes affect our user populations, we risk resistance, reluctance, or outright rejection. 

Contrast that with a security team that embraces any constraints, and works around them to make things easier and better for users. For example, instead of highlighting the improved security of your new access request portal system, emphasize the direct and relevant benefits for your users. “Use the new access request portal, and never fill out an access compliance audit form again!” In fact, make this a requirement for your vendor evaluation and POC. 

Our end users are busy, and focused on fulfilling the organization’s mission. Security is of secondary importance to them, at best. And this is okay–we just need to recognize this. By taking a business and user-oriented approach to your security initiatives, you’ll be able to generate enthusiasm and support, and pave the way for a successful deployment.

Upcoming

• Webcast on Aug 17: Understanding the Two Zero Trust Maturity Models: CISA & ForresterI’m moderating an all-star panel featuring John Kindervag, Chase Cunningham, and Sean Connelly and John Simms from CISA. Registration link here.
• Cloud Security Alliance SECtember event – in person I’ll be in person at the CSA SECtember event, September 21-22 in the Seattle area. My session is “Applying the CISA Zero Trust Maturity Model to Your Enterprise.” Full details are available at the event website.

Wrap-Up

Thanks for reading.

Interested in learning more? Get 30% off the new book, Getting Started with Zero Trust : Use discount code THE012 for 30% off a digital copy when you purchase it from our media store.

And if you want to see how your enterprise can reduce security complexity and unlock business agility, take our 10-minute Zero Trust Readiness Survey.

To receive future editions of this newsletter via email, subscribe here.