Zero Trust, Malicious Actors, and My Vegetable Garden

Living in New England, with its long and gray winters, my vegetable garden is a delightful summer highlight. While I don’t depend on it as my primary food source, it is a significant source of stress relief and enjoyment. However, much like our enterprise’s information assets, the garden represents an attractive target for malicious actors.

In this case, I have to defend myself against the neighborhood assortment of critters: rabbits, squirrels, birds, raccoons, and the occasional possum or woodchuck. These hungry and decidedly malicious creatures have a variety of Tactics, Techniques, and Procedures (TTPs) which must be thwarted through a collection of defense mechanisms that include physical, chemical, visual, and auditory. (I have not yet escalated to kinetic or electrical defense mechanisms, although I haven’t completely ruled them out).

My garden security is a decidedly imperfect defense, and I accept a certain level of breach as acceptable. For example, I have a three-foot metal mesh fence surrounding it; this keeps the rabbits out, but not the birds or squirrels. I could do better with a more robust fence, but for me it wouldn’t be worth the investment. Plus, some of the more skilled and determined (but luckily infrequent) visitors – I’m looking at you, woodchucks – could breach pretty much any defense I could deploy.

Fortunately for me, at worst a garden breach will result in disappointment and minor infrastructure damage. This decidedly not the case for our enterprise IT environments. 

Our businesses are fully dependent on IT to operate, and a successful attack can result in significant or even existential damages to an enterprise, as well as potential civil and even criminal charges. 

Information security leaders need to internalize this, and create an appropriate sense of urgency within their organizations. The stakes are too high, and our landscape is too dangerous not to rapidly adopt best practices – as defined and combined within Zero Trust – throughout the enterprise. 

Is this going to take some work, and the introduction of some rigor into our enterprises? Yes – and I’ll argue that it’s time to improve our enterprise security maturity, and to clearly define the set of processes surrounding it. For example, security teams should not accept a lack of visibility into what is running on their network – this is a prerequisite for enforcing the principle of least privilege, and thwarting attackers via effective access control policies.

I fully understand the challenges that enterprises face, including technical debt, resources constraints, and decades of organically grown enterprise network complexity. However, a Zero Trust strategy provides a clear and effective path forward, and when executed well delivers rapid and incremental improvements to the enterprise.

It’s time for security leaders to assert themselves, and demand that their organizations properly organize and deploy defensive mechanisms. We know how to do this effectively – Zero Trust provides us with this guidance – and now it’s time to execute.

If you’re interested in learning how to best approach your Zero Trust program, sign up for our free, 30-minute Zero Trust Strategy Kickstart. We’ll work with you to make sure your Zero Trust program is set up for success. Complete information is available here.