Recently, a friend of mine posted a picture on LinkedIn of a T-shirt he had made, featuring the quote “Trust is a vulnerability.” This post went somewhat viral, which made it clear to me that people are really understanding the essence of Zero Trust.
Early on when I first started looking at the fundamental problems in network security, I realized that trust was the thing people were taking advantage of and exploiting. Trust is no different from a vulnerability in Apache Struts. It’s something we must address in our organizations and digital systems as much as any software vulnerability. And if we’ve learned anything from recent data breaches, it’s that vulnerabilities are what are exploited, and all vulnerabilities must be mitigated.
So why do we have this problem with trust in the first place? It’s because we have anthropomorphized the network with the idea that it’s a person who is on the network, when in fact it is not. People are not on the network, packets are. Packets are essentially just big bundles of photons or electrons that move across some kind of cable. Why would we ever provide extra privilege to a set of electrical impulses based upon the physical location to which they have just moved?
All data breaches are, ultimately, breaches of trust. That’s why names like Snowden and Manning should give every cybersecurity professional the shivers – because both of those data breaches were exactly that: breaches of trust. Each attacker exploited their status as a trusted user to access data they didn’t actually need to do their job. Because we have confused the trustworthiness of human beings with the trustworthiness of packets, we have created this problem ourselves.
However, I’m not saying that people aren’t trustworthy. I’m saying that people are not packets.