RSA 2019: Has Zero Trust Become an Impediment?

RSA CEO Rohit Ghai and former Chief Strategy Officer Niloofar Razi Howe’s keynote today could have been re-titled “Standing in the Bleak Landscape of Zero Trust.” It has become an impediment, they said.

Should I be defensive, having jumped on the buzzword bandwagon a bit myself? Hopefully not – see my perspective illustrated in the three circles above. But let us make this my second zero trust blog post and see. Read on for a critical RSA keynote review like the one I did last year as well!

A Vast Untamed Wasteland

Academy Award-winning actress Dame Helen Mirren kicked off RSA 2019 with a positively Shakesperean plea for hope in the face of fear. “Many of you patrol a vast wasteland all on your own…you are a hero with a million faces, each turned to battle a collective danger…Lean on each other to build a better future together.”

Ghai and Howe continued on the somber note (I paraphrase liberally): “The year is 2019. We still have water, we still have trust, but there was a time we almost ran out of both.” They discussed the present: “Consumers began trusting complete strangers through peer-to-peer sharing economy platforms…but they lost trust in institutions…Nation state influence campaigns sowed chaos.”

And carried on into the near future, from an imaginary point of view in 2049: “By 2025 half of the Americans lost faith in democracy…the line between fact, misinformation and opinion blurred…social media caused so much polarization that fact-based discussions almost disappeared.”

And as new, ubiquitous satellites enabled a legion of WIkileakers, a glaring spotlight of transparency: “During the 2020s we faced what came to be known as the trust crisis…data was the life blood of the economy and as trust failed we had global trade wars…balkanization into multiple internets…a cyber wall was built.”

Back to the Future (of Trust)

By the year 2049, Ghai and Howe predict we’ll be in the bio-digital era. “The key to winning in the bio-digital era is trust – but are we trustworthy? Water almost ran dry in Cape Town, Cairo, Jakarta…[other cities]…and so it went with trust…Trust is to the internet what water is to life.”

Three ideas did (or hopefully will) save us. Paraphrasing some more:

1. Risk Management guides security
2. Humans and Technology combine to create trustworthy systems
3. A Global Reputation system restores trust to business and governance

Risk Management Guides Security

Ghai and Howe quoted William Gibson, of Neuromancer fame: “The future is already here – It’s just not very evenly distributed.” Today, most everyone at least pays lip service to risk management but few organizations do it well. Instead, prevailing attitudes and approaches to security are so irrational that I’ve launched my own Rational Cybersecurity project. We’ve got a lot of work to do, but Ghai and Howe set some hopeful predictions and worthy goals for 2049 (or hopefully sooner):

• Businesses will perform automated risk identification, map risks to business impacts, decide and prioritize risk treatment.
• We will learn to manage risk through resiliency, not lock down. As cyber risk is the largest risk to digital business, enterprise risk and digital risk converge.
• Pervasive technology will be risk-aware and adapt automatically to changing conditions.
• Data will be labeled. People will own and have full control over their personal information. Managing data governance and provenance will be an essential competency.
• Third party risk will be greater than first party risk. Owning and managing risk will be the new normal, but also enable innovation and use of information.
• Every Board of Directors will use objective metrics to quantify risk in business decisions.

Humans and Technology Combine to Create Trustworthy Systems

The attack surface will keep growing, leading to the need for Ghai and Howe’s second idea.

• Artificial intelligence will not be the panacea. It had a rough start due to inflexibility, built in bias, lack of adversary resistance, and an opaque appearance to users and stakeholders. “Trust me, the machine said.”
• Who do you trust? Humans are easily manipulated by emotion. Machines, by small tweaks to the data.
• Ghai: “Zero trust became an impediment. So we applied an old concept called ‘pair programming’…This led to the age of augmentation…More trust in human and machine together…Trustworthy twins.”
• Humans will retain the creative role, using their ability to imagine what questions to ask, to do investigative work like cybersecurity.
• Security operations centers (SOCs) will have an ocean of data. Humans will ask the questions, machines provide the answers.

A Global Reputation System Restores Trust to Business and Governance

The “trustworthy twins” will enable us to surmount a growing attack surface, but for one problem: Adversaries too can leverage human-machine augmentation. It will become a battle of twins versus twins. Fortunately, a global reputation system could give defenders the edge.

• Global reputation systems will work like a distributed ledger of deposits (good deeds add reputation) and withdrawals (bad deeds reduce it).
• In the early Internet era information was jealously guarded, too little shared. In recent years we have discovered the value of exchanging data on attack techniques.
• In the bio-digital era, we will operate from an expectation of honesty, accountability, and radical transparency – though not perfection.
• We will apply ideas from blockchains to build a “Trustlink” for threat reporting and risk reporting of both good and bad events.
• Organizations will label products and services with a digital score. The trust/risk quotient will become as important as the Price/Earnings (PE) ratio in the market.

Conclusion

Ghai and Howe concluded: “We are in the business not just of protecting data and infrastructure…We must also protect trust…Trust is based on reputation and we must learn to protect it…RSA 2019’s 40,000 attendees had an epiphany: We should worry about the threat landscape, and obsess about the trust landscape.” Gahi and Howe envision unleashing a new age of prosperity, making poverty a thing of the past, and improving governance through transparency and risk management enabled by reputational trust.

It is much too soon to tell if this vision is prescient of things to come, or just utopian wishful thinking. Having worked with blockchains and reputation systems, I have seen mostly balkanization as implementers pursue decentralization ideals. It is not obvious to me how these systems would self-organize into a unified TrustLink as Ghai envisions. And yet…the market tends to find a way – much as many incompatible proprietary email systems converged on Internet Simple Mail Transfer Protocol (SMTP) long ago.

As for zero trust? In case my figure at the beginning of the article wasn’t clear enough, here’s my take:

• Zero trust as the default setting on the network is not an impediment; it catalyzes progress in creating self-defending devices and applications.
• We need technical trust at the next layer of identity, risk, and context. Here, zero trust is an architectural framework, not a product you can buy. 
• Human social, relational, and national networks are likewise built on trust. According to much research, those countries whose populations are more trusting have higher gross domestic products. As social animals we can’t live with zero trust; perhaps that’s Ghai and Rowe really meant to say…

Call to Action

I hope that RSA, and those of us at the conference will continue adding more texture to the ideas expressed here. For example, if technology is going to be risk-aware and adaptive, it will need to be part of a framework such as Gartner’s CARTA. If we are going to build more trustworthy social, relational, and business networks we need to do a better job of adapting them to the way humans think. Never mind “bio-digital”, how about “psycho-digital?” Here’s praise for the RSA conference organizers, Lorrie Cranor, and a number of others for putting on the excellent pre-conference “Security, Privacy and Human Behavior” seminar. 

Related Content

I also hope you’ve found this article interesting enough to do some further reading at the links provided.

• Keynote Description
• Paul Simmonds: The Fallacy of the “Zero-Trust Network”
• Network Segmentation in the Zero Trust Era
• How to Build Security and Risk Management into Agile Environments
• Launching Rational Cybersecurity for the Business
• Security, Privacy and Human Behavior seminar content
• The Gartner IT Security Approach for the Digital Age