Government agencies must rethink trust: Notes from DoDIIS 2019
Decisions around trust are top of mind for agencies who are establishing next generation security policies. Recently at DoDIIS, Eric Trexler, Vice President of Global Governments & Critical Infrastructure at Forcepoint discussed how trust is changing, and offered advice for agencies to considering how to balance trust and security. The following is a summary of his presentation.
Innovation thrives when people can collaborate in a trusted manner, leveraging data creatively and freely through technology. This intersection is also the point of greatest vulnerability for agencies and the primary source of security breaches -- driving cyber risk to all-time highs.
Security policies are traditionally based on broad decisions of trust – or distrust – with rules based on people, devices, systems, and infrastructure that make up the overall IT environment. But this type of situational “trust” isn’t really trust at all -- it’s a privilege-based system and it’s easy for an attacker to exploit. The only challenge today for the attacker is how to get in. And in this new era where the perimeter has all but vanished, old approaches to security and trust simply don’t work.
Security is Changing
In the old days, cybersecurity operated more like fortifications around a castle. In this traditional model, everything outside was bad and everything inside was assumed good. But in 2019, attackers will stop at nothing to steal our identities, evade detection through new techniques, and bring disruption to our doorsteps. The stakes are high, and the world more connected than we could have ever imagined. Diverse technologies like cloud apps and IoT have also changed the way we work and interact with our data and have contributed to rendering the old threat-centric security model obsolete. This diversification has made it much harder to identify good and bad behavior leading to an ambiguous “gray space” – which in turn has made it much harder for security teams to know when to intervene.
Modern security fails if it does not consider the insider. Today, insider threats are not even necessarily malicious in nature, they can easily stem from laziness or even an honest mistake. Security must now assume every person in your organization has the potential to compromise your network – maliciously or accidentally. In fact, security teams must now assume their domains are already compromised -- and agencies need to take a very different approach to trust.
Trust is essential
Our study in partnership with Harvard Business Review Analytic Services suggests that instances of trust breaches are increasing, as it reports that nearly two-thirds (63%) of senior executives at large global organizations state that trust among people, businesses and institutions has declined over the last two years. The paper finds that trust has negligible effects on success; it is this group of trust leaders who have gained a competitive edge for their businesses – improving their ability to partner, increasing employee productivity and enabling innovation to occur.
Everyone in an organization has a role in trust -- it is a two-way street. Within the employer-employee relationship, the employee trusts that the employer will pay them on time and treat them respectfully: the employer trusts that employees turn up on time and don’t harm the organization, accidentally or otherwise. The CEO ultimately leads the culture of trust, but the CISO is a key trust influencer in today’s evolving paradigm.
Trust is so woven into everything that we do that we're not really aware of how critical t it is. Trust is a risk mitigation strategy and questioning and addressing the relationship between trust and risk is fundamental. More and more governments are learning to trust first responders, local law enforcement and citizens with data valuable to an investigation or to increase response times and to help ensure mission success. But trust is also contextual. If trust is broken, such as misuse of the trust by a certain organization, then the perceived risk of sharing this type of information in the future increases dramatically. Levels of trust are also nuanced based on the organization and its definition of what is considered acceptable risk. Overall, for businesses and governments to flourish within today’s digital transformation landscape, some level of trust is required, and some level of risk has to be acceptable.
In this new era is Zero Trust the Answer?
Zero Trust came out of the idea that agencies must get away from the concept of “outside bad, inside good” because a lot of vulnerabilities get generated when you think of the world that way.
Zero Trust is evolving to a paradigm where instead of blindly extending trust, trust is earned, built and continuously confirmed. This paradigm shift has helped the industry move from the traditional model of “trust but verify” to “never trust, always verify.” Zero Trust utilizes different technologies and best practices centered around identity verification. Organizations pursuing a Zero Trust model assume compromise and try and make certain that, in the event of compromise, damage is as minimal as possible. However, some level of trust is essential and therefore the CIO and CISO must consider how policies are affecting trust within their organization.
Forcepoint’s human-centric approach to security takes Zero Trust one step further. Through our risk-adaptive security model we see an opportunity to enable Connected Trust. Meaning, for businesses and governments to flourish within today’s digital transformation landscape, some level of trust is required. And in this context, levels of trust are nuanced based on the organization and its definition of what is considered acceptable risk.
To establish Connected Trust, understanding of human behavior and intent is critical. Behavioral analytics today can be used to enrich security models by creating a baseline understanding of all “normal” behavior of digital identities on a network. This enables faster identification and classification of outlier and risky behavior. Behavioral risk scores for the vast majority of employees should be low over time, and thus employees have a verifiable measure of the trust that their employer should afford them to get their job done -- which positively impacts trust.
In a Connected Trust model, anonymized digital identities that deviate from their “normal” behavioral patterns trigger an alert that security administrators can react to quickly, as well as a relevant automated enforcement response based on the identity’s elevated risk score. As a result, security teams also know exactly where the problem lies—with a specific digital identity—and can focus automated enforcement efforts on observing or blocking specific activities based on the level of risk the activity represents, overall enriching security and maintaining a level of trust that the organization feels is acceptable.
- Trust is essential and is a two-way street.
- Agencies must be willing to re-evaluate strategies
- The CISO is a trust influencer…. The CEO ultimately leads the culture of trust
- Connected Trust is a continuum between zero and permissive trust
- Understanding human behavior and intent will give IT visibility into the gray space and reduce cyber risk
Download the slides from the presentation here.