Zero trust
Let’s start with a quick story about a crown belonging to a king far, far away. The king was very attached to his crown and placed security guards at the entrance to the castle, one to walk around the castle, a few in the turrets to survey the arriving threat and he went so far as having one sleep beneath his bed. But he still trusted no one and so consulted a wise old cryptographer who replicated the crown, locking the original away and leaving the fake in its place. Knowing this, the king was able to sleep peacefully from that day on, knowing even if the thief got in, he would only get away with the fake, being of no value or use to the thief.
As you can see, traditional security or now cyber security places guards all over, with the likes of intrusion detection, threat analysis and even AI self-learning or extended detection and response.
Cryptography takes the approach of removing the threat by replacing the crown with a fake. The approach not only provides peace of mind by removing the threat, but supports cyber security initiatives, as a determined thief will always get in, or insider threats are always possible and vulnerability patching is never-ending.
Crypto framework
The crypto framework consists of six layers that are interconnected or dependent on one another and, if built correctly (golden thread), ensures trust in people, processes and technology. Incorrectly implemented layers, for example, PKI, where several dependency features are switched off, such as revocation or client-side verification that accounts for over 98% of all enterprises, and the golden thread is broken, losing your ability to effectively trust identities and preventing a zero trust architecture.
With cryptography focused on the crown (your data) and what we call data centric, by its very nature trusts no one, verifying everything including people, process and technology and, what today we call zero trust. How we perform verification digitally is using only two technologies, being certificates and keys in a crypto framework.
This is easier said than done as one can understand that to verify places a dependency by design. Good for data sovereignty, remaining in control of your cloud data and implementing zero trust. It is this dependency that IT has removed from several solutions, introducing risk, which may have been acceptable in the past but is key to implementing zero trust today.
Looking closer at the crypto framework
As you can see, the framework is not a point solution or specific application, but mandatory layers that need existing or new solutions to meet the framework requirements. Enterprise size, priority and existing relationships then determine vendor selection to ultimately meet enterprise zero trust objectives.
“Stop buying point solutions without a strategy!” Important dependencies to understand are identities that rely on a secure PKI that is rooted in trust and the enterprise key manager that relies on those identities to secure sensitive data.
Step-in, step-up crypto framework
The framework allows step-in at any level with a step-up to zero trust. Some solutions just need master keys to be placed into an ROT (CyberArk), some require a different authentication approach using certificates (SSH), while others are best left to an enterprise KMS for compliance, interoperability, re-use of infrastructure and the added benefits it provides to the solution by offering KMS services to applications, databases and flat files that reside on these solutions (VMware).
Next step
The framework can be broken down into three areas of audit, providing the enterprise with a clear understanding of how it has deployed verification throughout the enterprise and what plan is needed to achieve a zero trust architecture. It then becomes a business decision or step-in and step-up approach.
Share