Zero Trust: Process and the CIA Triad

Noted warrior poet Mike Tyson once said, “everybody has a plan until they get punched in the mouth.”

Even for successful companies, 2020 has been a giant, eight-month punch in the mouth. Plans have been made, scrapped, re-made, and scrapped again. Some organizations are thriving, but far more are trying to survive.

One key difference is process.

Plans, as Iron Mike points out, can be derailed. People can get rattled and make mistakes. Processes are all about absorbing the hit and punching back.

What a Good Process Is (And What It Isn’t)

One of the most common mistakes I see at an organizational level is mistaking policy for process. Both are important, but they are not interchangeable. Policies are guiding principles and directional strategies. Processes are tactical implementations of those policies across the organization.

A process must be repeatable. A process that changes every time is not a process. Even talented people (I would argue especially talented people) have a tendency to improvise when solving problems.

Process is indispensable in a PPT analysis of your cybersecurity model because it maximizes the value of both people and technology without letting your organization rely too heavily on either — arguably, the cornerstone of Zero Trust.

Additionally, process is the most controllable of all security factors. You can’t dictate when a person might leave your organization or when a piece of technology will become obsolete, but you can absolutely control, and constantly improve, the processes that helps you manage both.

Here’s how analyzing your security processes through the CIA Triad can help take your culture to the next level.

Confidentiality

One of the simplest processes to look at through the lens of confidentiality is your organization’s password reset process. Many organizations require passwords to be reset by the IT team. We have a process that leverages a self-service password reset portal to maximize confidentiality and Zero Trust.

This ensures only the person who needs the password gets it and reduces the number of touchpoints (i.e. an email from your team to the employee) where confidential data could be compromised.

It’s also important to have solid processes around audit logs to ensure people are who they say they are. Companies often focus on growth and processes for things like onboarding new users and managing data after a termination have to catch up.

Establishing good processes around confidentiality early on helps you stay ahead of the game and avoid the punches a lot of companies don’t see coming until it’s too late.

Finally, it’s important to manage your process in a Zero Trust capacity. In other words, don’t let your processes designed to prevent leaks…get leaked.

Integrity

While processes are, by nature, repeatable and consistent, they should not be treated as “set it and forget it.” Analyzing the integrity of your processes means testing them on a consistent basis.

One of the core functionalities of security processes – whether built around people and data or hardware and software – is the detection of changes. This means regular tabletop exercises to test the processes that prevent unwanted changes and scan malware.

As security professionals, it is our responsibility to keep a clear-eyed view of all intrusion detection. This includes accidental alterations, as well as intentional malicious attacks from inside users. Even in a Zero Trust environment with processes to ensure individual users’ credibility – background checks, etc. – regular pen testing is critical to maintaining organizational integrity.

Additionally, you should be implementing backup processes to restore and recover data with minimal loss in the event of a breach.

Availability

There are two questions you should be able to answer at this very moment:

1. Where does your organization store its processes?
2. Could someone in the organization access them tomorrow if you weren’t there?

If you’re reading this, there is a very good chance you are “the guy” at your organization. And as “the guy” it is your responsibility to have a process in place for the organization to operate securely and smoothly without you.

I once got a call on my personal phone from a former co-worker six month after leaving that organization for a new opportunity. They needed a code.

I was “the guy” with the code when I was there. We hadn’t developed a process to access the code after I left. Why? It never came up and we were busy with other things. Even after I had left, they hadn’t needed it for six months. As a result, they had to scramble in the midst of a crisis.

Personnel changes, natural disasters, breaches and incidents. All of these circumstances need to be covered in the availability of your processes because none of them are the time to define or test.

Organizational Confidence & Zero Trust

A few years ago, I worked for a company that had a formal process for how to manage our security operations in the event of a plane crash near the office.

To be fair, our office was located next to a large international airport, but it still felt like an extraordinary hypothetical. What were the odds of a plane crashing on the airport runway? Maybe similar to a flash flood in the desert or… a global pandemic?

The one thing we’ve learned in this year of absorbing punches is that you must be ready for anything.

When things are going smoothly, your stakeholders will have confidence knowing you’ve planned for anything. When things get crazy, they’ll stay confident as they see you punching back.

---

This is a multi-part series covering PPT in Cybersecurity’s CIA Triad. See Part 1 here.