Image from Pixabay |
Remember
that castle I wrote about last week? Where they didn't trust anyone, because
they assumed the enemy was already within the walls of the castle? I went for a
walk around the area, and guess what? There is another castle just down the road.
And they do things in a completely different way there.
Not
so long ago I heard this statement at a conference: we must move from 'low
trust, high tolerance' to 'high trust, low tolerance'. That’s one of those
statements to which the audience mumbles in agreement, without yet
understanding exactly what it means. I make a note of those kinds of statements
to think about them later. Writing a blog is an excellent way to hatch an egg
like that one. Buckle up, dear reader, because at this point I don't know yet where
the story is going.
The
statement contains the assumption that many organizations work from a kind of
non-trust (which is different from distrust), much like in last week's castle. There
are many rules that you have to adhere to, because you probably won't do the
right thing on your own. Not because you don't want to, but because you can't
know them all. And because there are so many rules, it is very difficult to
adhere to them all. If only because you do not know all the rules, but also
because some rules are not feasible, or because it is sometimes inconvenient.
You know, that word 'actually'. Whenever someone says that something shouldn’t
actually be done in that way, you already know that a rule will be worked
around. The lord of the castle knows this too, and therefore turns a blind eye
to many things: he is very tolerant, as long as the rules are not broken
deliberately and with malicious intent.
The
statement from the second paragraph implies that that attitude is not good,
because well, we 'must' move towards that other model: high trust, low
tolerance. This lord of the castle assumes that everyone who works for him
understands very well what is and is not possible, because many things are
obvious. When you enter somewhere, you close the door behind you. Not only
because otherwise it would be draughty, but also because someone might slip in
who shouldn't be there. If you’re in charge of the lady's jewelry, you probably
understand that you are not supposed to lend them to your girlfriend for an
evening. So there are far fewer formal rules, but woe betide you if you betray
trust and they find out. Then you'll be in the dungeon on bread and water in no
time. There is little tolerance.
Do
you know Franz Kafka's novel Der Prozess (The Trial)? That story
revolves around Josef K., who is arrested and ultimately convicted without ever
knowing why. Apparently he sinned against rules that he did not know – even could
not have known. We could easily end up in such a Kafkaesque situation if we work
on the basis of 'high trust, low tolerance'. Not a nice place to live, that
castle.
What
about a middle ground? I call it 'some trust, some tolerance'. It is probably true
that we have too many rules, which no one knows anyway. Every citizen is supposed
to know the law, they say. But how realistic is that, if taken literally? Even
without knowledge of the law, you know that you are not allowed to puncture car
tires, right? Likewise, there are numerous security rules that people adhere to
anyway. Or where a little more tolerance wouldn't hurt. It annoys me every time
when the app, in which I can see my daughter's class schedule, kicks me out if
I haven't checked the app for a few weeks. Then I have to log in again, and
then I always have to figure out how that works, because it works differently
than elsewhere. How exciting is what's in that app? Let it piggyback on the
security of my phone. Even my bank's app is easier (after an initial strict
admission procedure).
So we
can probably get by with fewer rules, but we also have to learn to be less
tolerant. Still too often someone does something in a way that they know
perfectly well is not the way it should be, but – of course with the best
intentions, no doubt – they still manage to do it in that way. It works, but
there are too many risks involved that may have been overlooked. Tolerance
should not be taken, it should be given. From the person who is responsible.
So we
need a new castle, at an appropriate distance from Kafka's. With residents who
reasonably adhere to rules that mainly regulate what is not obvious to
everyone. That model will only work for people, by the way. Let’s stick to zero
trust for systems.
Next week there will be no Security (b)log.
And in the big bad world...
This section contains a selection of news articles I came across in the
past week. Because the original version of this blog post is aimed at readers
in the Netherlands, it contains some links to articles in Dutch. Where no
language is indicated, the article is in English.
- a ransomware gang has reported its victim to the authorities.
- a mapping
has
been made
between NIS2, ISO27002 and the Dutch Baseline for Information Security BIO. [DUTCH]
- the godfather of all hackers lives in India.
- the
German cybersecurity organization BSI has updated its report on the development
of quantum
computers. [GERMAN]
- The
second podcast from the High Tech Crime Team is out. [DUTCH]
- this malware steals your crypto currency via photos on your Android phone.
- it is good to use an ad blocker.
- the
Dutch Data Protection Authority advises negatively on the 'data
surveillance law'. [DUTCH]
- Civil
servants in the Netherlands will soon no longer be allowed to use ChatGPT. [DUTCH]
- An emergency center for the elderly in need has been shut down by a cyber attack.