We’re often quick to applaud initiatives aimed at bolstering our digital defences. One such initiative that’s garnered considerable attention recently is the establishment of Dell’s Zero Trust Centre of Excellence. Dell, as the single integrator or prime contractor, is partnering with approximately 30 notable companies to allow customers to test their environments against the U.S. Department of Defense (DoD) Zero Trust Reference Architecture. And while I wholeheartedly support the essence of Zero Trust security, I can’t help but raise an eyebrow at a couple of discrepancies
Let me be clear: the Zero Trust Centre of Excellence is a good idea. Embracing the principles of Zero Trust and facilitating the wider ecosystem to align more easily to the U.S. government’s Zero Trust mandate is absolutely the right direction.
This is especially true for organisations with decentralised, private or edge cloud environments where integrating Zero Trust protocols across hundreds of appliances from dozens of vendors is complex and generally out of reach for most companies.
But here’s the rub: some of these 30 partner companies aren’t on the Common Vulnerabilities and Exposures (CVE) list. It raises a fundamental question: Can you genuinely practise Zero Trust if you’re not signed up to publicly identify vulnerabilities?
The CVE program, short for Common Vulnerabilities and Exposures, isn’t just another bureaucratic checkbox (although it is sponsored by the U.S. Department of Homeland Security (DHS) and Cybersecurity and Infrastructure Security Agency (CISA)); it’s a core mechanism for transparency and accountability. It is a list of publicly disclosed IT security flaws that provide a standardised way to catalogue, track, and address known computer system vulnerabilities.
By not requiring companies to report vulnerabilities publicly, we hinder our abilities to reconfigure, prioritise or otherwise mitigate risks. It also limits transparency, which goes against the US DoD’s vision of wide scale adoption of Zero Trust to support “a more secure, coordinated, seamless, transparent, and cost-effective IT architecture… that ensures dependable mission execution in the face of a persistent cyber threat.”
You cannot achieve Zero Trust while skirting the obligation of full transparency. If you can’t see behind the curtain, how can you really know what’s going on? Trust is all of a sudden back in the equation and that’s not what Zero Trust is about.
In today’s rapidly evolving threat landscape, staying ahead of the curve is imperative. That means every organisation, big or small, should adhere to the same standards and culture of transparency and accountability when it comes to vulnerability disclosure. That’s why SoftIron is proudly a member of the CVE program and is committed to the tenets and principles of Zero Trust.
In conclusion, the Zero Trust Centre of Excellence is a laudable initiative. Companies should absolutely embrace its principles. But, and it’s a big but, in our journey toward Zero Trust, we can’t afford to leave behind the obligation to publicly identify vulnerabilities. A uniform and transparent approach to vulnerability disclosure is essential to ensure the trustworthiness of our Zero Trust security measures. It’s time we bridge that accountability gap.