The concept of "Zero Trust" has been around for years. Unfortunately, this concept becomes a cybersecurity catchphrase with cyberattacks like spear-phishing, ransomware, and business email compromise (BEC) at all-time highs. Even the notoriously slow government cybersecurity planning is going all-in on this matter.
However, a crucial obstacle to widely adopting this security model is mass uncertainty about what exactly "Zero Trust" means. There is a lot of confusion about the definition out there. For example, a customer told me that he thought he knew what Zero Trust was, but now that everyone is talking about it and describing everything as Zero Trust, he understands less.
As is the case with IT, in general, Zero Trust "is not just technology"; it's about process and mindset as well (again, it is about People, Process, Technology — PPT). CIOs, CISOs, and other corporate executives are frequently implementing Zero Trust because:
- the technologies that support its move into the mainstream
- the pressure to guard enterprise operations and data rise significantly, and
- attacks become more advanced and sophisticated.
This time, I am writing to lay the fundamental concepts and introduce anyone who wants to bring Zero Trust into practice.
Background
The concepts supporting zero trust are not new. John Kindervag, an industry analyst at Forrester Research Inc, popularized the term "Zero Trust Network" in 2010 but was coined in April 1994 by Stephen Paul Marsh for his doctoral thesis on computational security at the University of Stirling.
The difficulties of determining the perimeter to an organization's IT infrastructure were highlighted by the Jericho Forum in 2003, discussing the trend of what was later coined "De-Perimiterisation." In 2009, Google implemented a Zero Trust architecture referred to as BeyondCorp.
The Zero Trust is also known as a Zero Trust Network or Zero Trust Architecture. Related frameworks include Google's BeyondCorp, Gartner's CARTA, NIST SP800–207, and ZTX by Forrester.
The "Old" Trust Model
Image by Hadrianus1959 from wikimedia.org | Creative Commons Attribution-Share Alike 4.0 International
.jpg){kind=link}
Under the legacy of the existing trust model, all the devices, including computers, servers, and network devices physically located in an office building — were on the same network and inherently trusted. For example:
- Your work desktop computer could connect to the printer on the same floor as your desk.
- You can find team documents on a shared file server.
Security tools such as firewalls and antimalware were deployed to treat anything outside the perimeter (of the organization) as bad; everything inside the network is our friend (trusted). We also called this model "perimeter defense."
As you may know, though, the rise of mobile devices, cloud applications, and the remote workforce have thoroughly disputed those assumptions. Organizations can't physically control every device their employees use anymore. And even if they could, the device is not just a device, but a tunnel from internal to anywhere, including the public cloud apps.
Once an attacker gets through those perimeter defenses, remotely or physically infiltrating an organization, the old security model would instantly grant them a lot of trust and freedom. Security should never be as stupid as "outside bad, inside good."
Zero Trust Concepts Explained
If you talk to "zero-trust" experts, the whole thing sounds like a religious experience. As all security professionals know, cybersecurity is about mindset, not the technology itself.
Zero Trust is a security mindset centered on the idea that organizations should not automatically trust anything inside or outside their perimeters and, alternatively, must verify anything and everything trying to connect before granting access.
Instead of trusting particular objects or connections from specific places, Zero Trust requires that people (i.e., device's user or data owner) prove they should be granted that access. Typically that means logging into a corporate account with biometrics or a hardware security key. In addition to simple usernames and passwords make it more difficult for attackers to impersonate users.
And even once someone gets through, it's on a need-to-know or need-to-access basis (conditional access). So, if you don't work with source codes as part of your job, your corporate account shouldn't bind into the R&D domain.
Analog: Zero Trust in Real Life — Airport
Image by the author
The best analog of "trust zero" in our daily lives is airport security (although we didn't travel due to COVID-19.) When we need to travel to another country, we need to:
- Buy air ticket — User Access Request
- Check-in — Identification, Contextual Information Collection
- Immigration border — Authentication
- Before onboard — Authorization, Conditional Access
- On the plane
When you arrive at the airport, and as far as the "system" is concerned, you are unauthenticated, unauthorized, and thus untrusted for more than access to the public areas. Then you perform an initial Identification when you check-in; this validates your identity and purpose. Next, you check your baggage in, which has its security checks (this could be analogous to having your laptop/desktop validated).
This elevation of trust permits access to the boarding lounge, which could be considered a trusted zone, and while you are in this zone, you can access certain "services" without further authentication. However, for certain transactions, you are required to show your boarding pass again.
Afterward, when you board the plane, you are rechecked as you enter a zone requiring specific authorization. At any point when you are within the trusted zones, you can be directed to re-authenticate. Some zones are not accessible to an average traveler (e.g., VIP lounges, staff areas, air-side areas, etc.). Much like a corporate environment, these would equate to management zones, database zones, etc.
Final Words — Concepts Provides Flexibility And Potentially Longevity
People working in IT often try to map everything to clear definitions — as in the digital world (zero and one). The problem is people's first impression of Zero Trust treating it as a single piece of software you can install or a checkbox you can cross.
For me, it is a mindset, a set of concepts, or, more extreme, a philosophy. The abstract nature of Zero Trust has its benefits. Designing from concepts and principles rather than particular products gives flexibility and potentially longevity; those specific software tools/ products don't.
Other than agreeing on what the phrase means, the biggest obstacle to zero trust's proliferation is that most infrastructure currently in use was designed under the old "moat-and-castle" security model. There's no simple way to retrofit those types of operations for Zero Trust since the two approaches are so fundamentally different.
You still have to implement things like device and software inventory, network segmentation, access controls. As an industry, we need to have more integrity in communicating, especially with all the attacks and real threats that organizations are facing.
I am not saying the Zero Trust is a security panacea (There is none, obviously). And most importantly, even the most secure environment nowadays is not 100% Zero Trust, not to mention that for most organizations. It's still easy enough to target the pieces of a victim's infrastructure that haven't yet been promoted with zero-trust concepts in mind.
Cybersecurity hasn't kept pace with this digital transformation/modernized environment. But we, at least, have to transform how you manage security. First, you want to think about ubiquitous security. Second, you want to be predictive, so you need to be thinking about it differently.
Successful implementation of ZTA should involve the CISO, the CIO, and others in the executive tier to prioritize what moves to this model and which pieces of their environment can wait.
Thank you for reading. May InfoSec be with you🖖.