Zero trust models are catching on as organizations pursue more stringent security frameworks, but what does that mean for sharing systems like knowledge management?
We understand that knowledge management (KM) is the preservation and sharing of what we know, and that what we know is gained through individual experience as well as tacit and implicit knowledge. Therefore, organizations and leadership might infer that the zero trust Model and zero trust architecture — a security framework that assumes no traditional network edge and requires all users, even those in-network, to be authenticated and continuously authorized before being granted access — are an impediment to a mature KM culture.
Yet, what is considered an impediment and barrier to KM is often the result of confusing KM with information management (IM).
Instead, KM and IM should be considered more alike in their value systems rather than a competing priority in which an organization must choose between securing information and data versus sharing information and data. In accepting that there are both enablers and barriers to any organizational priority, a strong KM culture includes many of the same enablers that zero trust is tasked with supporting. KM, when it is aligned with zero trust, creates an even stronger KM value in the organization. And zero trust, like KM, succeeds best when working from the position of the four KM enablers: people, process, technology, and governance — as well as a strong organizational policy, which is critical for zero trust.
The successful implantation of KM and zero trust should be:
-
-
- business focused;
- supported by senior management;
- embedded with the strategic vision and principles of the organization;
- focused on higher value knowledge and higher value data;
- able to demonstrate measurable benefits, such as competitive advantage and process improvement in tandem with risk mitigation and security; and
- employed as a full organizational change.
-
Despite the decades-held belief that most security threats are external, it is inside threats that have risen to become a serious cause for concern, most recently this is due to the extension of network access across mobile devices, cloud users, and employees working in hybrid or fully remote environments.
Behind the emergence of zero trust is a broad concept that applies to technologies, networks, IT architectures, and security policies. This concept holds that users within a network should be treated as if they could pose a threat. Therefore, enterprise resources and data are to be protected individually and access to these resources should be evaluated and analyzed continuously.
The zero trust future
Zero trust is not a particularly unique approach. IT professionals would consider the principles of this model to be a good housekeeping practice for any healthy secure enterprise. Most IT professionals have long taken great pains to design systems that consider inside risk as dangerous as any other risk. Therefore, zero trust systems have been developed to behave as an integrated platform that contextualizes information based on identity and security that has shifted risk measures from traditional perimeter models (e.g. firewalls) to one that is identity-centric. Through this process, key questions emerge, such as who has access to what information? When do they have access? How much access is given, and what business purpose does their access support?
This identity-centric approach is consistent with KM mapping. KM mapping outlines the business challenge of what we know with strategic goals that can then be supported with KM interventions, such as a knowledge base, intranet, sales wikis, and CRM platforms. Additionally, to be successful, both KM and zero trust require agreed-to measurable outcomes.
This simplified explanation of zero trust in a KM world is consistent with KM values that improve business agility which brings with it the priority of protecting internal data and internal assets.
Strategies to overcome perceived KM barriers brought on by a commitment to zero trust overlay with the implementation of zero trust models. These strategies include:
-
-
- mapping “need to know” information (KM) alongside “need to secure” (zero trust);
- finding common alignment with strategic goals;
- outlining business objectives and agility with business security; and
- agreeing upon measurable benchmarks and outcomes, remembering that i) not all measures are monetary values; ii) not all measures should be targets; and that iii) common solutions can be identified to overcome “imposed” targets.
-
Much like KM, zero trust is a new mindset that requires sweeping changes to be implemented effectively. On the surface this seems daunting, but after evaluating KM and zero trust, both can be implemented to improve organizational value and effectiveness.