Jason GarbisJanuary 11, 2022
Zero Trust Security: Buzzword or Breakthrough?
Zero Trust is much more than a buzzword. It weaves together proven IT and security components in novel ways to provide a fresh approach to defending valued assets.
There are several internet memes circulating about Zero Trust, many along the lines of the one depicted below. I find this amusing, and not just because I’m old enough to have watched these cartoons when they were first aired in the 1970s.
Zero Trust has become a marketing buzzword – my standing joke is that at the last in-person RSA Conference, there were so many vendors positioning themselves as Zero Trust security providers that you could walk over to the commissary at the Moscone Center and buy a Zero Trust ham sandwich.
All joking aside, the overuse of the term is a serious and legitimate issue. I recently spoke on a panel with the CISO of a large U.S. federal government department. He lamented that we have so many in progress security requirements and felt, to some degree, that Zero Trust is just a repackaging of well-known security best practices ... essentially “the latest shiny object” that we’re chasing. He said that in another 18 - 24 months, we’ll change course yet again to something else shiny and new, leaving our Zero Trust journey unfinished.1
I understand this skepticism and I empathize with enterprise practitioners who must navigate this noisy vendor landscape to create a sensible plan for their users and environments. So, let’s break this down.
The principles of Zero Trust security, as well as Zero Trust architectures and implementations, absolutely build upon the many well-proven security principles that are in use today, including multi-factor authentication (MFA), role and attribute-based access control, network segmentation and the principle of least privilege. Zero Trust also includes the bedrock elements of information security, such as cryptography2, public key infrastructure (PKI) and identity management. However, this doesn’t mean that Zero Trust security is only a repackaging or recycling of security components, and I believe this is true for two reasons.
A Fresh Approach
First, a proper Zero Trust approach adds and removes elements from traditional security architectures. And second, it changes the expectation we should have for our security systems by breaking traditional silos and enabling new types of integrations. Zero Trust systems must, by definition, integrate with multiple components of security and IT infrastructure. That is, Zero Trust security is centered on tying together proven principles in novel, dynamic and identity-centric ways. It’s also all about bridging traditional gaps and enabling the creation of an identity-centric and contextual policy that gets enforced at multiple levels.
For example, let’s examine a hypothetical enterprise that has shifted to a Zero Trust approach for its networks and applications. The organization has eliminated its user VPNs and is only using network access control (NAC) for very basic VLAN assignment. Instead, it is using an always-running Zero Trust system on user devices, regardless of where a user is. This improves user experience, while providing a single policy model for controlling user access across all locations. This approach also improves network security and efficiency.
The organization’s security is improved because the Zero Trust system hides the network entry points from external attackers and eliminates the need for an open wide area network (WAN) within the enterprise, because access is now controlled by a set of distributed Zero Trust policy enforcement points. Operational efficiency is also improved because firewall and NAC ACLs are simplified, with all enforcement now happening via the Zero Trust policies.
Of course, the Zero Trust system utilizes infrastructure elements that the enterprise has already deployed, including its identity management system for user identity and authentication and MFA for conditional or contextual step-up authentication.
Here’s another example from our hypothetical enterprise, which is using its Zero Trust system to enforce the principle of least privilege for system administrators. Its admin team services an infrastructure comprising 500 production servers, and on any given day an average of 25 of those servers need some administrative work performed—including applying software updates, changing configurations, troubleshooting, etc. This is standard enterprise configuration and change management. Administrators need to be productive, so they require seamless network access to these 25 servers. But, the principle of least privilege demands that these admins not have access to the other 475 servers.
The challenge is that on any given day, no one knows ahead of time which 25 servers will need work. Traditional network security approaches grant admins full network access to all 500 servers and rely on authentication-only access controls, such as a credential vault or a privileged access management (PAM) solution. Wide open network access is, of course, a poor security practice and has been shown to put organizations at risk for damaging breaches.
To solve this problem, our hypothetical enterprise is using a dynamic Zero Trust policy. It integrates its Zero Trust access system to its Service Desk (ITSM). The Zero Trust system obtains ticket information via API, only allowing administrator access to those servers for which there is an open service desk ticket and if the admin is on a corporate-issued device. Admins can SSH or RDP to the systems that need work—with MFA enforcement for remote admins—and all other servers are inaccessible on the network. As soon as the admin’s work is done and the ticket is closed, the Zero Trust system automatically revokes network access to the server in question. This maintains a high level of security, while keeping admins fully productive. This approach also ensures that the business process is followed, while self-documenting for compliance and audit purposes.
This is a good example of how a Zero Trust system weaves together identity, device context, MFA and business processes to create something far more effective and valuable than what would be realistically possible with traditional IT and security tools.
Standing on the Shoulders of Giants
In conclusion, Zero Trust security is an approach and an architecture that weaves together proven IT and security components into something that’s significantly more effective and beneficial than what was possible previously. Of course, Zero Trust builds upon and leverages foundational and proven elements of IT and security. In this respect, Zero Trust is clearly standing on the shoulders of giants like MFA, identity and network segmentation. And Zero Trust has woven those threads together in novel, interesting and valuable ways, creating a new security tapestry much-needed by today’s enterprises.
Now, I still see some skeptics sitting out there in the audience with their arms crossed, not fully receptive to my arguments. And I understand their position ... our industry does move rapidly and it’s inevitable that in the next 12, 24 or 36 months, there will be new trends, buzzwords and another wave of opportunistic marketing hype (perhaps designed more to drive purchases than to deliver security value).
But I posit two things. First, Zero Trust is a security philosophy and set of principles fundamentally different from other technical or functional industry trends. It’s about breaking down silos and bringing together IT and security tools, while enabling IT, security and business/application owners to work together using a common vocabulary and policy model. Tools will come and go, but this philosophical shift will remain—it delivers demonstrably more effective, more resilient and more responsive security.
Second, the label we apply to this philosophy is somewhat irrelevant. If we as an industry stop referring to it as Zero Trust and instead call it something else, that’s fine. What matters is that we embrace and adopt its principles, standing on its shoulders to better secure our industries, freedoms and societies.
1. His actual prediction was that Zero Trust will be supplanted by a "sharks with lasers" approach to cyber defense.
2. AKA math. In many ways, it's reassuring to me that everything is based on math. I trust math.