Acknowledging the black swan in the room, how can we make a flexible BCP/DRP? Quick summary of strategy, tactics, and disaster scenarios.
Watch more videos on my YouTube channel.
Reinforce Values – Design Monday
April 20, 2020Bas van Abel found his personal values in conflict with his technology use. Namely, his phone. He set out to bring these two into alignment and, in doing so, designed a phone and launched a company in 2013.
The Fairphone aims to be as socially conscientious as possible throughout the supply chain and throughout the lifecycle. Fair mining of raw materials. Fair manufacturing conditions. Fair trade. Also, dear to the hacker ethic? Repairable and modifiable. Build a fairer phone, build a fairer world, that was the design inspiration. You can listen to Bas van Abel on the TED stage: Changing the Way Products Are Made.
People have strong personal values. Companies have corporate values. Hopefully, these values are in alignment. Ideally, people and companies follow their values. If they don’t, well, then values aren’t much of a design consideration. But when we have stakeholders with strong values or a value-driven corporate culture, adoption of our security controls goes much faster and much farther when the security design reflects those same values. Before you think IT security can’t reflect values, remember people thought the same about phones before Fairphone.
It will take work to frame the initiative in terms of values. For example, imagine our initiative is a Zero Trust Architecture and our corporate values include an open culture and a culture of trust. At first glance, the security and the value are at odds. But hold on. What if we position ZTA to increase the openness where possible, while reducing access only where risky? Good. What if we use ZTA as a technology to codify a culture of trust? Better. This example is one initiative but the idea scales. We can design a full security program, say with NIST controls, tied to strongly held corporate values.
If it can be done with a smartphone, it can be done with a security capability. Reinforce organizational values to gain support, speed implementation, and further adoption.
This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.
CSO: Implementing Zero Trust
April 15, 2020Having a vision and a specific use case help get companies started toward Zero Trust implementation.
Excerpt from: Zero Trust Part 2: Implementation Considerations
A piece of advice at the outset: “Don’t do too much too fast,” says Wolfgang Goerlich, CISO Advisor with Cisco. “Have specific goals, meaningful use cases, and measurable results.”
To build momentum, start with a series of small Zero Trust projects with deliverable milestones, and demonstrate success every few months by showing how risk has been reduced.
“We need to show the board progress. With specific initiatives aimed at specific use cases, we can demonstrate progress towards Zero Trust,” Goerlich says. “You build momentum and a track record for success.”
Read the full article: https://www.csoonline.com/article/3537388/zero-trust-part-2-implementation-considerations.html
This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category. Do you want to interview Wolf for a similar article? Contact Wolf through his media request form.
Zero Trust Security Model – Take Five for CyberSecurity
April 13, 2020Zero Trust is a lot like Blade Runner. Everything looks fine. But if we ask a few questions, things can turn out to be completely different.
Watch more videos on my YouTube channel.
Prioritizing use cases – Design Monday
April 13, 2020Roberto Giolito has the distinction of winning Car of the Year and Ugliest Car. Both from Top Gear. Both in the same year. Both for the same car. That would be the Fiat Multipla.
To call the Fiat Multipla ugly is to miss the point. It certainly is no looker. The length is shorter than a typical car. The height? Taller. The resulting car looks squat and boxy. But as they say, beauty is on the inside. In fact, the New York Museum of Modern Art (MOMA) showcased the interior. The dash is as highly usable as it is highly unconventional. It seats six comfortably. The large windows create a feeling of space. Small but spacious and maneuverable. The point of this car is to completely satisfy one use case: living the European life while driving the crowded European streets.
When we are designing security capabilities, we start with the use cases. No, that’s too many use cases. Put one back. Still too many, put another one back. There. Good. We start with a few specific use cases and then get to work. Our goal is to fully satisfy these use cases given our limited resources. We will have to make trade-offs. That’s the nature of prioritizing. And when we do? Think of Roberto Giolito who let his design be ugly where it didn’t matter, in order for the design to be Car of the Year where it did matter. Ruthlessly prioritize. Dare to be ugly.
This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.
CSO: Demystifying Zero Trust
April 10, 2020Despite the fact that Zero Trust has been around for a decade, there are still misconceptions about it in the marketplace.
Excerpt from: Zero Trust Part 1: Demystifying the Concept
Zero Trust is not one product or solution. Better to think of it as an approach, says Goerlich.
“Zero Trust is trusting someone to access something from somewhere,” he says. “Is it an employee, an application, a device? What is it accessing? What was can we determine if we trust this request? At the end of the day, Zero Trust means providing a consistent set of controls and policies for strong authentication and contextual access.”
The term was coined by Forrester Research in 2010. It was established as an information security concept based on the principle of “never trust, always verify.” Since then, the National Institutes of Standards and Technology (NIST) has produced comprehensive explanations and guidelines toward the implementation of Zero Trust architecture framework.
“NIST has a draft standard that dictates their view of Zero Trust — what the principles are, and what an architecture looks like,” Goerlich says. “The U.K. NCSC has done the same. Zero Trust has matured, and the need for it is now in sharp relief due to changes in the market and the way we use technology.”
Read the full article: https://www.csoonline.com/article/3537189/zero-trust-part-1-demystifying-the-concept.html
Wolf’s Additional Thoughts
I am leading a series of Zero Trust workshops this year. One concept I always stress: we’re applying existing technology to a new architecture. If you think back to Role Based Access Control (RBAC) was first being standardized, we used off-the-shelf x.509 directories and existing Unix/Windows groups to do it.
Now of course, better products offer better solutions. But the point remains. The application of existing standards to realize the principles of Zero Trust brings the concept beyond hype and into reality. Moreover, it makes it much easier to have confidence in Zero Trust. There’s no rip-and-replace. There’s no proprietary protocol layer. We’re simply taking authentication and access management to the next logical level.
Want to know more? Watch my calendar or subscribe to my newsletter to join an upcoming workshop.
This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category. Do you want to interview Wolf for a similar article? Contact Wolf through his media request form.
Kicking off a Security Project – Take Five for CyberSecurity
April 9, 2020What can we learn from people who develop title sequences which start our favorite television shows? And what does good look like, for starting projects?
Watch more videos on my YouTube channel.
Password self service for Active Directory – Take Five for CyberSecurity
April 7, 2020Considerations when implementing password resets. What factors do you verify the person with?
Watch more videos on my YouTube channel.
Securing ElasticSearch – Take Five for CyberSecurity
April 6, 2020An ongoing attack has wiped data on more than 15,000 ElasticSearch servers. That’s about a third of all the Internet-facing ElasticSearch instances. Good time to review how to secure this resource.
Watch more videos on my YouTube channel.
Future-Proofing – Design Monday
April 6, 2020IT security leaders envision future security capabilities. Capabilities like Identity and Access Management or Threat and Vulnerability Management. Capabilities which enable the organization while disabling the attackers, built upon processes and technology. But there’s a problem. The technologies change. The threats change. Putting aside those change, we have to acknowledge that people aren’t adept at predicting the future. How do we design for the unknown while embracing our shortcomings?
By taking a page from Joe Colombo’s book. Colombo designed a series of futuristic rooms and furniture. The main goal of his design was variability. Each piece was versatile and modular. The overall room was reconfigurable and adaptable. “My design experiences try to create an evolutionary link between current reality and future,” is how Colombo described it. Evolution favors flexibility. As it is in biology, so too in technology.
When deciding between two options, choose the one with the greater variability. This increases the possibilities for handling future threats or technologies. We won’t always get it right. Take just technology. One of Colombo’s pieces couldn’t be produced until the plastics industry caught up. It took nearly 50 years, with the 4801 Armchair finally reaching production in 2011. That said, it’s better to have an unused possibility than have a need that the design can’t meet. To future-proof a security capability, design for versatility.
This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.