“Zero Trust But Validate.” It’s not enough to deploy a zero trust architecture. You need to continuously validate that it works.

To echo a famous Russian proverb, "trust but verify," it's not enough to implement a zero trust architecture. Continuous testing is the only way to achieve real cybersecurity readiness. Read More

In the late 1980s, U.S. president Ronald Reagan liked to repeat the Russian proverb “trust but verify” to his counterpart Mikhail Gorbachev when negotiating nuclear arms control agreements with the Soviet Union. He used the phrase at the signing of the Intermediate-Range Nuclear Forces (INF) treaty in December 1987 to describe the extensive verification procedures that would help both countries to monitor their compliance with the treaty. ”Though my pronunciation may give you difficulty,” Reagan told Gorbachev at a summit meeting at the White House that December, “the maxim is, ‘Doveryai no proveryai,’ ‘trust but verify.’” 

It’s a good phrase to adopt for the cyberage, when organizations are deploying increasingly powerful security capabilities to defend their data centers and cloud environments — often against Russian government intruders. (See, for example, the SolarWinds intrusion on U.S. government and private networks of almost a year ago.) The Biden administration launched a cybersecurity executive order in May that focuses heavily on zero trust, a practice of mistrusting every connection in a network by default and authorizing interactions only through predetermined policies. Zero trust is a key step to stopping intruders’ lateral movements between data centers and cloud environments. Over and over, intruders have used lateral movement tactics to march around data centers to gain access to high-value information, from the Target hack of 2013 to the Office of Personnel Management intrusion of 2015 to the SinghHealth breach of 2018 to the SolarWinds intrusion of 2020. 

Organizations can deploy a range of capabilities to build a zero trust architecture. One of them is micro-segmentation, or “security segmentation”, which maps application dependencies within a data center and then builds policy walls between the applications, workloads, servers, and devices in a data center to prevent unauthorized communications between them. Such policy and code-built walls prevent intruders from executing unauthorized movements. In this situation, an intruder may be able to get access to three servers, but not 3,000, preventing the spread of breaches like OPM, Target, and SolarWinds. 

But how do you guarantee that such an architecture will work? Let’s echo “doveryai no proveryai.” You may build the most powerful walls but you need to make sure that your teams are updating the concrete, that your sentries are manning their posts to keep the enemy out, that all the spears are sharpened to repel intruders if required. If you don’t test your cyberdefense armaments using adversary emulations enabled by up to date cyberthreat intelligence in the MITRE ATT&CK framework, you won’t know if your defenses will stand-up to the adversary when required. “Zero trust but validate” means exercising your defense capabilities constantly to validate cybersecurity readiness. Real-time performance data is at the center. 

We’ve been banging this validated zero trust drum all summer and now the pitch is picking up. We began the cadence with a joint AttackIQ-Illumio article in Lawfare that I wrote with my great colleague Matt Glenn, Senior Vice President for Product Management at Illumio, and we’ve updated that argument with granular technical details about how to deploy a zero trust architecture and validate your zero trust security controls to ensure effectiveness. Our new jointly produced Validated Zero Trust 101 Guide gives you step-by-step instructions for how to achieve zero trust effectiveness. 

It includes excellent analysis from my colleague Mark Bagley, VP for Product at AttackIQ, a historian and a technologist with deep expertise building security control validation platforms over the last decade. It also includes wisdom from Richard Struse, Director of MITRE Engenuity’s Center for Threat-Informed Defense. “With the advent of zero trust architectures,” he says, “it is even more critical that everyone in an organization is working from the same playbook of actual threats. The shared understanding of how adversaries operate provided by ATT&CK is essential – from the design of secure systems through the continuous evaluation of the effectiveness of security controls and capabilities.” 

This new strategy brings together some of the best minds in the cybersecurity industry to help the U.S. government and the private sector to deploy a zero trust architecture, achieve maximum visibility into its security performance, and make the continuous adjustments necessary to ensure everything works as it should. It’s simple. It’s straightforward. And it builds on our years of experience building world-class cybersecurity technologies and strategies. We believe in this strategy and know that it can help organizations tighten their security posture. 

Separately, for those that don’t know, Mikhail Gorbachev is still writing (!). He is now 90 years old and his 2019 book What Is At Stake Now: My Appeal for Peace and Freedom has just been released in paperback. Unreal. Talk about a man who begs all of us to ask ourselves the famous Mary Oliver question: “Tell me, what is it you plan to do with your one wild and precious life?” His life should inspire us to do whatever we can to build a more peaceful, secure, and stable world. In our age, that certainly includes effective cybersecurity.