Being held accountable but having no control. It's one of the worst feelings I know. Powerlessness. Unfortunately, it's all too common in cybersecurity.
We can't change being held accountable; it's part of what we do. But we can change what's under our control.
This can be done through knowledge and experience - a great place to start. But, in the long run, there's a more powerful tool - scope.
What do I care about?
What do I not?
Where's the boundary?
What's in scope?
The scope is at the start of every cybersecurity certification. This is the extent of what I care about and what I'm willing to protect.
The traditional view is the scope of what you protect is the outer wall of the IT castle. Usually, the outside wall of your office building. But more precisely, where the cable comes out of the phone company's router.
I started my cybersecurity career designing computer networks. Each one began the same way. A piece of paper with a cloud containing the letters ROW - Rest of World.
I couldn't care about the rest of the world. It was too big. Too intractable. Like an ancient map, the cloud meant - it's the internet, there may be monsters, and it's unexplored.
The boundary between what I cared about and what I didn't was always marked with a firewall. A device that blocks or filters information entering and leaving your business. The firewall indicated - this is the extent to which I'm willing to be held accountable.
Twenty years ago, all the finance servers, customer databases, and file shares sat inside the network and behind the firewall. I cared about all of them. Websites, Google, and other customers' networks were outside.
Teams came into the office to get access to sensitive data. And if they were on the road, they used a VPN to create a connection back to the office, so you were "kinda in the office".
But that's not the way we work in 2022. Customer records are probably in Salesforce. Shared files in Microsoft or Google or Box. What's inside our IT castle walls has shrunk. Drastically.
So if the firewall is the boundary, can it be moved? Can I care about fewer things?
One way to think about Zero Trust is that the scope of your network has shrunk so much it only includes your team's laptops and tablets.
You certainly care about your data in third-party services. But not about how those third-party services are built or maintained. You trust that the companies are doing a good job doing the basics of cybersecurity.
You have no trust in the network and internet between the islands of your team's laptops and your data. You don't know what monsters live in between and don't care. As before, the boundary is a firewall, just this time on your team's laptop or tablet.
Importantly, the scope of your control and what you're willing to be held accountable for are aligned and well-defined. Sure the Zero Trust approach means you have to do some things differently, but it's under your control.
A Different (Not so Good) Approach
Last week, I reviewed a firewall proposal with a customer.
The customer was looking to avoid a costly renewal quote for their existing firewalls. A generous phone company had offered an alternative - a new "virtual firewall" to solve all the problems.
This wasn't a "software firewall" - we've had those for years - you're using one right now on your laptop. And it wasn't a firewall for your virtual machines - VMware has been selling vShield for years. This was something new. 🤔
This "virtual firewall" was a new managed firewall hosted by the phone company. Ten seconds into the conversation I knew the customer would be powerless.
The idea was to move the firewall from the customer's office to the phone company. It would be in the phone company's network… somewhere. The details were... fuzzy.
There was a picture of a cloud on the phone company's diagram. It meant, "You don't need to know about this bit of the network. To you, this is unexplored. There may be monsters."
Unfortunately, the cloud wasn't the Rest of World. It was inside the customer's network, inside what they cared about, and inside the boundary of accountability.
But they would have no ability to make changes. That cloudy bit of the diagram was the bit the phone company looked after. 😬
So, when something inevitably goes wrong, the best the customer could do is ask the phone company to fix it...
Or simply feel powerless.