The Price of Distrust

Nine23 are happy to announce we will be contributing to this years TechUK’s Cyber Week (19-23th April) which will centre around Cyber Security in the ‘post-COVID’ world.

Firstly, we discuss Zero Trust – There are many journeys to Zero-Trust and many different ways to approach it. Why did your company move to Zero-Trust? How does your technology help people migrate to a Zero-Trust system? How do you intend to continue your journey to a Zero-Trust system?

Adam Gwinnett, Chief Technology Officer (CTO) of Nine23 has led on the definition and implementation of Zero Trust models for the last 5 years and is a ‘critical friend’ of the approach. Technological advances have meant that, despite the phrase being coined in 2010, this model is now achievable for a broad array of organisations. The benefits of the model are clearly recognised and there are plenty of sources for this, but less is covered on the costs of adopting these models and the impacts it can have on your wider landscape.

Nine23’s CSaaS is designed to support your understanding and implementing “Zero Trust”.

Zero Trust – The Case in Favour 

Let me start by being open – I’m a fan of Zero Trust models. I think it’s a good, robust design ethos and the granularity of response that it can offer you is currently unparalleled. In an increasingly Cloud first or Cloud only world with evergreen SaaS services it’s also now an achievable technological goal. It can offer a response and mitigation to just about anything the big bad world can throw at your environment and can allow you to make minor enhancements, adjustments and adaptations to the ever-emerging and evolving threat landscape.

It’s the answer.

But…

What was the question that Zero Trust was the answer to? I’m a big fan of using Domain Driven Design approaches in the quest to work out what the right tool for the job at hand is. In any engagement where Zero Trust is being discussed I typically spend 40-60% of the initial engagement exploring whether Zero Trust is right for the organisation and environment talking about implementing it. Because Zero Trust is beautifully expansive and nuanced and granular. Or in other words it can be huge and complicated and complex. A poorly implemented model could easily leave you more vulnerable than you were before you started in exchange for a lot of time and money, which is a fairly bad equation. It’s not a model for beginners and will definitely take longer and cost more than you thought it would. And you’ll still get breached. In fact one of the fundamental assumptions for any Zero Trust adopters is “assume breach” which can seem like scant comfort for something you will have poured your teams hearts and souls into.

So why all the fuss?

Aside from the fact that Zero Trust is pretty catchy and easy to market, it also plays neatly into the Fear, Uncertainty and Doubt (FUD) angle of the cyber security industry in that there’s no neat template for it and it is based around the ability to respond to the unknown and future threats (zero days will normally get trotted out at this point). And it will help you with that. Probably. When you’ve gotten it matured and working properly. The other bonus it has as a model is that it’s vendor agnostic – no one vendor or solution can deliver you a Zero Trust implementation and there’s almost no product that can’t be made to fit into it. So it doesn’t constrain your market choices at all. Or help you make investment decisions. And you could buy everything, which is definitely in some people’s interests.

But here’s the thing, there are problem statements and scenarios which absolutely cry out for Zero Trust models to be used and which are hard to cope with using pretty much anything else. Here’s a couple of my safe bet scenarios that doing Zero Trust might be right for you:

  • You have a complex and extensive supply chain with direct access from 3rd party managed (or unmanaged) devices to your data and / or services;
  • Your business model relies on effective collaboration with 3rd parties on sensitive data where that data carries a high risk of harm if compromised;
  • The nature of your business is dynamic (and potentially unpredictable) where notable shifts in behaviour and usage within your environment are highly likely to occur in a standard planning cycle (say, quarterly);
  • The devices and services accessing your data are disproportionately outside of your own organisation or sphere of control;
  • Preventing legitimate business usage (even if that is unexpected or irregular) is potentially more harmful than a breach or compromise.

If you can tick some or all of those boxes then I would say you should definitely consider Zero Trust. There’s plenty more examples where it’s a good fit. But if your business doesn’t have those characteristics then you are likely to get dramatically less value from the model. If your supply chain is clear and simple, most of your business is conducted internally on managed assets and the patterns and nature of your work don’t experience dramatic shifts then there is definitely going to be a simpler way of you achieving a good level of cyber protection.

So what now?

You’re going to hear a lot about Zero Trust for the foreseeable future. And some folk are going to try and sell you things off the back of it. I may even be one of them. So consider it an inevitability. So what should you do? Whoever is proposing it, ask them these questions:

  • How does this model support my business strategy? Can you show how it supports my organisational objectives?
  • How much of my existing investment can work effectively in that model?
  • Can you show how adopting this would allow our people to work effectively in an appropriately secure manner?

And if you get good answers, I’d say try it. If you don’t then take a step back and wait for better answers.

Written by Adam Gwinnett, CTO of Nine23

Adam Gwinnett is the Chief Technology Officer for Nine23Ltd and heads their cyber security advisory service as well as acting as service owner for their CSaaS offering amongst other functions. Having held senior strategy, architecture and security roles for the last 10 years Adam has witnessed first-hand trends in recruitment, outsourcing, tooling and implementation shift as organisational priorities and commercial strategies have changed.

Nine23 are your trusted partner, we are here to help you from start to finish and it is our mission to deliver complete, secure IT solutions to enable the end-users in today’s workplace.

We have consistently achieved the highest levels of accreditation (ISO 9001, 27001, ISO/IEC 20000) from national bodies to provide confidence that the systems we develop can be used at highly classified levels of cyber security (OFFICIAL-Sensitive or Sensitive).

To start your Cyber Security journey with us please fill in the contact form or call us on 023 8202 0300.

Get in contact with us today

To find our how Nine23 can help you start your digital transformation journey today!