In the wake of another high profile insider breach out of Tesla, it’s tempting to proclaim that it could have been avoided with Zero Trust. On the surface, it has all the characteristics of the very thing a BeyondCorp-style system is designed to prevent, but I’m going to refrain from rushing to that conclusion for two reasons:
First, from what I can gather from the official reports, it’s unclear whether this person technically had the right to do what they did from a privileges perspective at the time. Regardless, the fact that his actions were so quickly discovered and remediated means that from the perspective of a disgruntled employee, the system did what it supposed to do – a red flag was raised, the incident was isolated, the malicious code was removed, and evidence of data sharing was collected. Honestly, that’s a win in the security column despite the headline. Good access controls are as much about remediation as they are about blocking, especially in a case like this. The question then becomes more about procedure (code review, production deployments), which need to complement the adaptive controls (authN, authZ) that are in place to effectively enforce policy (least privilege).
Second, one of the most hopeful aspects of this entire BeyondCorp movement is that we were finally getting away from the fear-driven tactics that have dominated the industry for decades. For once, we were speaking with authenticity towards positive security and productivity outcomes. The second we start blindly talking about about Zero Trust as a silver bullet to solve all that ails us, the second we fall right back into the shady tactics of yesterday (and today). While I’m glad that the movement has gained so much momentum across the industry, we can’t just slap a Zero Trust sticker on every problem area and call it a solution. This is supposed to be about next-gen access, not next-gen snake oil. It’s time to break the cycle and move beyond the FUD (no pun intended).
Of course there are significant benefits to covering incidents like this as we collectively move forwards towards better security systems and practices, and there are characteristics of Zero Trust that apply to this case, but I don’t believe we win by just pointing fingers – we win by encouraging each other to evolve and adapt to the ever changing landscapes that surround us all. Tesla can certainly learn something from this incident, and so can we.
Here are a few other things that caught my eye this past week.
Continuing their series on network security, the good folks at Securosis take on the topic of scale. They advocate for applying controls based on intelligent policies. To meet the challenges of scale, look at the problem from an outcome perspective, not a capacity perspective. I look forward to the next piece about the architecture to support such requirements.
We talk a lot about ephemeral credentials as a characteristic of a true Zero Trust system, which is a strong benefit in mitigating the risk of credential theft. Many web-based systems use JWTs as a credential mechanism, but one should be aware of the considerations and tradeoffs. Here is an in-depth article covering some of the risk areas.
Here’s a deep technical post tackling a different, but related problem in home networks. We should treat these networks as untrusted the same way we do our corporate networks. In many ways, the attack surface is wider given the wide range of insecure, connected devices.
That does it for this week. Check back this time next week for another set of relevant news, articles, and events. Cheers,
Ivan at ScaleFT