Extreme Prejudice
Security
"Zero Trust". This sounds harsh at a time when it is important to us to manifest values such as freedom, equality and harmony as the basis of modern civilization. However, in the field of cyber security, this principle has become inevitable.
Let me tell you a story about a police operation, gangsters, weapons and "extreme caution" so that you can understand what I mean. And by the way, since this is a blog about Cyber Security, it can be quickly understood. Here goes:
Some time ago I was travelling through Kenya and took a bus from Kakamega to Nairobi. The journey was pleasant as our bus hummed for a long time in the chill of the night. There was no sign that drama was about to unfold. When travelling by road in this part of the world, security checks are not the exception but the rule.
So when we boarded the bus at the beginning, similar to the airport, people checks were carried out and our hand luggage was checked. So far, so good. As the journey progressed, however, our bus was stopped and searched more than once. Again, quite routine: get off, let the officials search the bus - get back on and continue the journey. But then there was an éclat when armed plainclothes policemen entered the bus. There was no doubt that they were up to something. Three armed officers patrolled up and down the aisle as they scrutinized each of us. When the focus fell on one suspect, what looked like a routine check turned into a potentially deadly situation in an instant:
At the very moment the officers were eyeing the suspect, they were shouting to the other passengers to put their hands up. They knew from experience that this could be the most dangerous part of their operation, so they did their best to eliminate possible collaborators.
Thus, without exception, we were all treated with extreme prejudice. From the information the officers had received, they were aware that two other suspects were hiding somewhere on that bus. Although they appeared to be acting in a hostile manner, they were trying to protect their lives and ours. How would you act if your life and the lives of others were at stake?
Fortunately, with their relentless approach, they were able to flush out the remaining bandits and we were able to continue safely to Nairobi. If the gangsters had succeeded, you can imagine how bad the consequences could have been.
Now for the security part: in 1994 Stephen Paul Marsh[1] mathematically developed the concept of Zero Trust, one of the principles being that this concept is more than distrust or, as I put it, "extreme prejudice".
Technically, the principles of Zero Trust[2] are simple:
- Explicit Verification (authentication and authorization, always using all available data points).
- Least Privilege Access (limiting user access to sufficient and time-limited access)
- Assume Breach (minimizing the action radius and segmenting access)
Regardless of network location (internal or external), all users are guilty of attempting to access valuable business data before they are proven innocent.
And make no mistake: today's cyber threats are just as serious as the tensions we experienced on that bus to Nairobi. If you've concluded that those Kenyan officials were heroic - and believe me, they were - then perhaps it's time you considered "extreme prejudice" as part of your cyber security strategy. In today's threat landscape, this is the only way to protect our data, which is so important to us in our everyday lives.
[1] Quelle Wikipedia: https://en.wikipedia.org/wiki/Zero_trust_security_model
[2] Microsoft Zero Trust: https://www.microsoft.com/en-us/security/business/zero-trust
