<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2180921&amp;fmt=gif">

(Zero) Trust but Verify

by D. Mark Durrett | Jan 28, 2022 | Compliance

Security monitoring is perhaps the least discussed element of a Zero Trust strategy

Over the past decade, the concept of Zero Trust has been heavily promoted and widely adopted by security practitioners. It’s grown from its humble beginnings as a network-centric concept into a more complete architecture and/or philosophy. Even while this more modern approach to Zero Trust is itself beginning to gain traction, an important element of the architecture is often ignored, neglected, or even shunned.

You may recall hearing about former American President Ronald Reagan's frequent use of his interpretation of the Russian proverb, “Doveryai, no proveryai (Доверяй, но проверяй),” beginning in 1986. Reagan explained that the U.S. will take a “trust but verify” approach to arms control negotiations with the Soviet Union. 

Well, if “verify” makes sense with an entity you “trust,” there most certainly must be a continuous “verify” component to a system with Zero Trust.

So, what does a modern Zero Trust architecture look like? 

Well, just this week Forrester analysts David Holmes and Jess Burn updated the definition originally proposed over a decade ago by their former colleague, John Kindervag. You can read their blog post here >>

They distinguish this new modern definition from its original by applying the popular "eXtended" moniker. Now referred to as Zero Trust eXtended (ZTX), Forrester has redefined Zero Trust eXtended as follows:

Zero Trust is an information security model that denies access to applications and data by default. Threat prevention is achieved by only granting access to networks and workloads utilizing policy informed by continuous, contextual, risk-based verification across users and their associated devices. Zero Trust advocates these three core principles: All entities are untrusted by default; least privilege access is enforced; and comprehensive security monitoring is implemented.

This final sentence is key here. It outlines the three principles of a Zero Trust strategy. 

  • Untrusted by default
  • Least privilege access
  • Comprehensive security monitoring

These are illustrated in the pyramid diagram below:


It is this last bullet (shown in the bottom left corner of the pyramid above) that remains widely disparaged and often overlooked. In fact, there are even advocates of Zero Trust who believe it to be completely unnecessary. This is, of course, nonsense. 

The physical security team for a major banking operation in Paris would never consider skipping the installation of surveillance cameras or motion detectors in their vaults after installing physical access controls and limiting physical access to only those who need it. Similarly, cybersecurity executives who implement an untrusted-by-default model and least privilege access controls but fail to deploy comprehensive security monitoring are ignoring a critical element of the model. 

While the phrase “trust but verify” was first uttered in the US by an American president, another US administration brought this concept full circle with a memo issued this week by Shalanda Young, acting director of the White House Office of Management and Budget (OMG). 

In the memo, Young endorses the idea of continuous security monitoring, saying “it is a dramatic paradigm shift in philosophy of how we secure our infrastructure, networks, and data, from verify once at the perimeter to continual verification of each user, device, application, and transaction" [emphasis added]

If that is true, why is this core principle often neglected? Well, we intend to explore this more in upcoming blog articles.

Finally, as Forrester states, Zero Trust is an “information security model, one that can be worked toward but without an ultimate end state.” 

Here we see that perfection is not the goal, but rather the goal should be one of continuous improvement in the direction of Zero Trust.

At Stamus Networks, we have made it our mission to help defenders advance their efforts towards Zero Trust through effective network-based monitoring and threat detection solutions.

D. Mark Durrett

Mark is the chief marketing officer (CMO) at Stamus Networks, where he has responsibility for go-to-market strategy and execution. Mark started his career as an electrical engineer and worked in digital circuit design of networking and telecom hardware for over a decade. He has over 25 years of experience leading marketing, product management and engineering for technology companies. Mark has served as the senior product and marketing executive at Netsertive, Emerging Threats, Overture Networks, Bell and Howell, Covelight Systems and Hatteras Networks. Mark resides in North Carolina, USA.

Schedule a Demo of Stamus Security Platform


Related posts

The Critical Role of NDR in Continuous Security Auditing

For a large organization, keeping track of numerous security systems or internal security policies...

Weathering the Storm: The Importance of Cyber Resilience

If you have ever worked for a large enterprise, then you may be familiar with the term “enterprise...

Cybersecurity Compliance for Financial Services: Can NDR Help?

Maintaining an effective security posture is difficult enough for any organization. But for those...