If I cast my mind back to circa 2005, I can clearly remember reading the Checkpoint release note which introduced the concept of Active Directory integration such that a firewall could identify users, groups and logons. No longer would we be constrained by trying to identify IP addresses, we would know that Bob was logged on and working in the accounts department, and that his connection to the accounts group file share could therefore be trusted.
If I cast my mind further back to circa 2000, I can also clearly remember the promise (and an ill-fated Proof of Concept) of “unified messaging”…where our communications would follow us around, whether by desk phone, mobile or soft phone, again, by dint of knowing who we are, where we are and what we’re doing.
It was also around this time that SIEMs were first becoming de-rigueur. Because if you have all the data, and you know everything then you can make educated decisions, about people’s behaviours, about technology controls and if you’ve made it to the very top of the maturity curve..….about business risks.
And don’t get me started on Network Access Control and how that was going to entirely remove the risk of nefarious devices on your network….
Unfortunately, some 15 years later, and despite manufacturers claims to the contrary, firewalls remain largely reliant on the same basic port and protocol data to make decisions about traffic flow. Equally, 20 years after unified messaging was going to unite us all, I still can’t remember if I’ve messaged someone by SMS, WhatsApp or Messenger, or was it in an email?….and was it on my work device, or personal?
The application of SIEMs, whilst more prevalent than it was then, now covers a much narrower band of requirements than was first envisaged. No longer do we cry “consume all the logs and you shall find everything” as much as “consume only those logs that we need in order to identify our pre-determined use cases…….and dump everything else in the data lake just in case”.
And does anyone want to claim that they have fully implemented and operationalised NAC?
So…we don’t “know” with the certainty we’d like, and we can’t “trust” like we thought we were going to be able to and countless privilege escalation vulnerabilities have taught us that even when we do trust…..can we be sure?
Is this why the concept of “zero trust” is so appealing?, because it absolves us of any kind of responsibility for these countless failed technology advances….or were we led up the garden path that these things were even a realistic and feasible idea in the first place?
Is micro-segmentation and strong authentication the next technical panacea, or an admission of failure that our perimeter controls are too dumb, and our internal controls too vulnerable to be trusted, and so we draw perimeters in ever decreasing circles and apply multi-factor authentication wherever and whenever possible.
Much further back in time I used to have a password which I thought was pretty clever, and I suspect a number of others had, and felt, the same. Unfortunately, a quarter of a century later we still seem to be struggling with the concept………TrustN01!