Workload and Application Security Blog

Santa and the Zero-Trust Model: A Christmas Story

Written by Virsec | Dec 25, 2019 3:20:29 AM

Dark Reading, December 23, 2019, with comments by Willy Leichter

How would the world's most generous elf operate in a world of zero-trust security? A group of cybersecurity experts talk about it.

Santa prepares his product lines all year long for worldwide distribution on one night, Christmas Eve. His distribution model hasn’t changed much – personal delivery around the world on December 24th, via a planned stealthy entry into every house when no one is watching. No locks, no identification requested upon arrival. No security gate on the roofs or at the chimney tops. Supporting staff made up of reindeer, elves, sleigh loaders and more are never questioned or scrutinized for possible errant behavior.

Who’s to say droves of households won’t be primed to be taken in by the quiet beauty of falling snow, sugar plum fairies dancing to Tchaikovsky’s sweet melodies, and the strong temptation to see what’s hiding under shiny wrapped gifts? It could all be a planned plot of deceit!

Zero-Trust Security Means Even Santa Can’t Be Trusted Right Out of the Sleigh

The concept of Zero Trust security is predicated on not trusting anyone or anything inside or out of the network perimeter. Nothing and no one is presumed safe.

By definition, Santa invades and trespasses against all the rules – he might not break but he enters on his own, without ID and leaves lots of packets behind.

Interviewed by Dark Reading, Tyler Reguly with Tripwire says, "First and foremost, Santa needs a background check before we go any further. I want to know everything about where this magical elf that makes it around the globe in 24 hours has been. I want to know everything about him."

He also points out that “Santa seems to have an extensive supply chain, and that the supply chain and support staff should come under scrutiny, as well. That means Mrs. Claus, the sly Elf on the Shelf, and the elves at the North Pole manufacturing and shipping facility must be accounted for."

Willy Leichter, vice president at Virsec tells Dark Reading, "For far too many years, we’ve given carte blanche to Santa Claus to ignore basic security best practices — not to mention safety issues bringing potential carcinogens with him down the chimney. Simply saying we 'trust' the big guy is dangerous and naïve."

More experts weigh in on several aspects of the challenges Santa would face in a world of zero-trust security. Can Santa’s arrangement be made to adhere to Zero Trust principles?

“Did you remember to send Santa our Privacy Policy and Liability Release Form?”

Read full Santa and the Zero-Trust Model: A Christmas Story article.

Further resources:

In the Face of a Ransomware Attack, Can Your Defenses Prevail?

Ransomware Demo: Multi-Level Protection Against Ransomware