Zero Trust and Social Capital

Riverbank Ruminations; Observations from The Banks of The Technology River

Tom Evans ~  Ashton Engineer Emeritus

You would have to be almost completely removed from any use of computers to have missed all the coverage of the SolarWinds attack and all the subsequent fallout. The effects of that attack will probably not be known for sometime to come. Interestingly, given the magnitude of the damage done, it is not so different from other attacks that happen daily. Note this comment:

SolarWinds hackers started with small gaps, infiltrated ever more sensitive environments, and finally reached a broad point of access to deploy malware: the official software updates that organizations rely on for security. As a result, we may be entering into a zero-trust era where nothing — not even well-known programs — can be implicitly trusted. Even the US National Counterintelligence and Security Center’s director is discussing zero trust.

“Zero trust” is a phrase that is being brought up more frequently as the analysis of the attack continues. This article underscores that attitude:

Many experts maintain it’s difficult to detect every digital footprint, especially when designed as a legitimate update, as the SolarWinds attack was launched. Other experts suggest the Zero Trust Architecture model could have prevented the attack, because this build philosophy is designed to not trust anything inside or outside its perimeters. Proponents of Zero Trust maintain even if the hackers did breach, they would have been stopped before getting as deep into Orion’s infrastructure as they did.

Trust No One

The concept of “zero trust” is simple: trust no one; trust no devices; trust no processes. In essence, there is no ‘perimeter’ around your business to protect. Even the computers on your network are not implicitly trusted. It becomes obvious that doing business becomes a challenge. How do you exchange data if you don’t trust the source? How do you send data if you don’t trust the recipient?

As you go deeper into “zero trust”, a lot of authentication is involved. Some can be done now, other types will take reworking networks. You will get exposed to the idea of ‘least privilege’ – the idea that no user or computer or process has any more privilege than needed to do the job. Sometimes the biggest offenders in the area of computer privilege are the executives who insist on being admins on their machines. The upside of a truly ‘zero trust’ environment is it is very secure and that security extends well beyond the walls of the business. The pandemic certainly showed how important and difficult it is to secure the workforce when they are geographically spread out.

Efficiency or Effectiveness?

If security measures are implemented using the older paradigms and methods, usability suffers for security. People being people, when security makes life difficult, it takes second place to getting the job done. People reuse passwords because they have too many. People share passwords because there is no good way for one person to cover for another (illness, vacation, etc.).

There is a principle called ETTO which can use this exact graph to illustrate the trade-off between efficiency and thoroughness:

Based on the Wikipedia definition, the efficiency-thoroughness trade-off principle (ETTO principle) explains that “there is a trade-off between efficiency or effectiveness on the one hand and thoroughness (such as safety assurance and human reliability) on the other. In accordance with this principle, demands for productivity tend to reduce thoroughness while demands for safety reduce efficiency.”

Do you want people to be thorough? That will impact efficiency. Do you want them to be efficient? That will impact thoroughness. This is important when we want employees to be thorough when deciding whether to click on a link or not. Should this wire transfer be processed? Should this invoice be paid?

Social Capital

This leads to the idea of social capital. Robert Putnam wrote a book called Bowling Alone that discusses this idea:

When a group of neighbors informally keep an eye on one another’s homes, that’s social capital in action. When a tightly knit community of Hassidic Jews trade diamonds without having to test each gem for purity, that’s social capital in action. Barn-raising on the frontier was social capital in action, and so too are e-mail exchanges among members of a cancer support group. Social capital can be found in friendship networks, neighborhoods, churches, schools, bridge clubs, civic associations, and even bars. The motto in Cheers “where everybody knows your name” captures one important aspect of social capital.

If businesses expect employees to act in ways to help keep the business secure, the business needs to act in ways that will generate social capital. While ‘zero trust’ is the security stance, companies need to build trust with the employees so that the employees understand it’s needed and beneficial. If trust is there, the need for security will be understood to be the needs of the ‘community’ (the business) and security will be seen as beneficial instead of onerous. will become pervasive. It will be seen as beneficial instead of onerous.

Interested in implementing “Zero Trust”? Call Ashton Technology Solutions at 216-397-4080.