Zero Trust: Guilty Until Proven Innocent

This guest post was contributed by Jason Meller, CEO & Founder of Kolide.


Let’s face it; Zero Trust has a big branding problem. John Kindervag, former VP and Principal Analyst for Forrester, first coined the term in 2010, around a simple philosophy, “that security professionals must stop trusting packets as if they were people. Instead, they must eliminate the idea of a trusted network (usually the internal network) and an untrusted network (external networks). In Zero Trust, all network traffic is untrusted.” While this line of thinking can be productive when discussing devices and other digital equipment’s security architecture, teams need to be careful not to spill over to informing their policy around an employer’s most valuable asset, its people.


Unfortunately, in practice, the principles of Zero Trust are often inappropriately applied beyond the network to the end-user. Instead of networks, people become guilty until proven innocent. Taking the next logical step, Security and IT teams that do not trust their colleagues implement invasive surveillance and excessively lock down workstations. They frequently bombard their employees with ill-conceived phishing training simulations that are more likely to result in the target’s humiliation rather than improve their education. When the concept of Zero Trust is perverted to justify the implementation of a Kafkaesque culture, undermines the program’s original goal and the ethics and values of the organization.


Organizations take the time to define their values because they know how important they are to their long-term success. They expect users to embody these values every day through their work, forming relationships with their cross-functional teams to help build a robust ethical culture. They expect them to build relationships based on trust. How can they trust their IT team if they lack transparency and implement policies based on zero trust of the user instead of the network?


With the recent surge in remote work, more users are concerned about their privacy than ever before. IT teams have been forced to rethink their strategies, often at the expense of the end-user. Users who don’t have the energy to justify why they need to access resources daily often turn to their personal devices to dodge surveillance and performance issues, creating a new and more dangerous problem; shadow IT. The strained relationship between IT and the end-user can force them to become untrustworthy, often out of desperation, which in turn encourages IT and security practitioners to advocate for more aggressive Zero Trust policies.


To begin to repair the relationship, it’s critical that IT teams establish Zero Trust policies that consider the needs of users. Before blindly buying software, organizations should establish a working group with representation from human resources, privacy experts, and, yes, the end-users themselves. This group can define rules of engagement for IT and security teams interacting with devices that may contain personal data and communicate those rules well to both the security team and the employees.


Without a strong focus on transparency and empathy for end-users, even the most well-meaning Zero Trust methodology can quickly spiral out of control. Policies built on not trusting end-users can do lasting damage to the organization’s reputation and its relationship with employees. Organizations looking to realize the many benefits of Zero Trust and its trendy branding should instead rework their approach based on honesty, education, and verification.


###

About the author:


Jason Meller is the CEO and co-founder of Kolide, an early-stage, Boston-based cyber security startup. Jason has spent his 10-year career building technology that enables cyber security professionals to protect their interests from the threats they will face. Before founding Kolide, Jason served as Chief Security Strategist at publicly traded cyber security firm FireEye. There, he was responsible for conceptualizing, building, and deploying key products, including their managed services and threat Intelligence offerings.