Security practitioners have often repeated that security systems, traditionally protected by perimeter controls, are hard on the outside but soft in the center. Whether the analogies involve crustaceans or M&M candies the messages are the same: once an adversary penetrates the outer layer of protection movement inside the system becomes relatively easy. Historically, a significant amount of focus and resources have been (and are) expended to control perimeter access to ostensibly prevent an adversary from meandering inside a network. To John Kindervag, all of these machinations are just treating symptoms and the underlying problem is a fundamentally flawed reliance on a single human emotion. From John’s perspective trust is the root cause of nearly every data breach.
While John may not have been the first to recognize the trust problem, he has become perhaps the most prominent evangelist [1]. He began speaking about the concept of trust around 2008 and then published the seminal No More Chewy Centers: Introducing the Zero Trust Model of Information Security in 2010. He posited that we should stop trusting and just assume that networks are or will be compromised. The solution he prescribes is a strategy he labeled “Zero Trust”.
WHAT IS TRUST?
Trust is a belief that someone or something is safe, reliable, and will not harm you. Over the past several years there has been growing literature on the topic of trust in organizations. There are various perspectives of trust as a psychological state, but one commonly accepted definition emphasizes “confidence in another party and a willingness to be vulnerable to the party.”In the context of networks, this trust also tends the be unidirectional. That is, the focus is on trusting in another without regard for reciprocation of trust.
THE PROBLEM WITH TRUST IN NETWORKS
The genesis of the zero trust concept was facing the reality that network security focused on a perimeter defense is illusory. From almost the beginning, it became obvious that defending the perimeter was problematic and detecting (much less stopping) a bad actor once inside the network could be challenging [3].
Early on, the adoption of the perimeter-control model was intuitive as most resources and users were inside the perimeter and only minor accommodations were required for access from outside the perimeter. When someone wanted to access to the network the system verified the identity and, once authenticated, assumed that the identity is trusted. This is is an asserted identity; not an actual person. In reality, credentials can be spoofed or stolen, and it may be impossible to know with certainty if the identity moving within a system is who they asserted to be. History has also proven that “trusted” insiders do not always have trustworthy intentions [2]. These problems have accelerated as workforces have become more global, work has become remote, mobile devices have become ubiquitous, cloud adoption has become mainstream, and attackers more sophisticated and prolific. So while trust is easily understood and makes sense at a human level — it does not translate well to the digital world.
THE ZERO TRUST STRATEGY
“Some people mistakenly think zero trust is about making a system trusted, but it really involves eliminating the concept of trust from cybersecurity strategy.” John Kindervag
Zero Trust is a strategy and not a specific product or technical solution. The core idea is the assumption that “all users, devices, and applications are untrusted and access is denied by default and granted based on continuous verification of identity, context, and risk”. The features of a Zero Trust strategy include:
· Assumption of Compromise — The assumption that all devices, users, and applications are threats and are untrusted until verified. This is true whether they are trying to come inside the network or are already inside the network.
· De-perimeterization — Perimeter controls, while a necessary component of defense in depth, will be compromised. A Zero Trust strategy also relies heavily on controls inside the perimeter.
· Micro-segmentation — Network segmentation becomes more granular and focuses on the resources (assets, services, workflows, network accounts, etc.). This allows more precise security controls, inhibits unauthorized lateral movement, and provides an element of containment.
· Authentication — Both the subject and device are authenticated for each session using multi-factor authentication.
· Least privilege — Access is denied by default. Access is granted to only those (micro-segmented) resources needed to perform the based on identity, context, and risk.
· Continuous visibility — All traffic is subject continuous verification mechanisms and logging. In addition, it is also necessary to continuously inspect the traffic to ensure the user is doing the right thing and detect possible security events in real time.
“Zero Trust is an information security model that denies access to applications and data by default. Threat prevention is achieved by only granting access to networks and workloads utilizing policy informed by continuous, contextual, risk-based verification across users and their associated devices. Zero Trust advocates these three core principles: All entities are untrusted by default; least privilege access is enforced; and comprehensive security monitoring is implemented.” — Forrester
ALWAYS VERIFY, DON’T TRUST (NOT TRUST, BUT VERIFY!)
John likes to point out that “trust, but verify” is a misnomer and trust is a human emotion that has been misapplied in digital systems. Zero Trust involves verifying everything and eliminating trust. As the concept has gained traction, multiple zero trust definitions have emerged and it is on the verge of becoming the de facto cybersecurity approach. Marketers have also taken to applying the label generously, and perhaps inauthentically, to many commercial products. So Zero Trust standards and frameworks should embraced while, at the same time, a healthy dose of skepticism in order whenever a product is tagged and promoted as “Zero Trust”. But the crux of zero trust movement is a material paradigm shift in how we think about securing networks and it will likely be a key component of most security architectures as well a regulation for many years to come. In large part, you can thank John Kindervag.
[1] Discussions around the problem of trust go back at least as far as 1984 with Ken Thompson.
[2] Insider threat, or insider risk, has become a topic of interest in recent years that is focused on threats that were “trusted”. Some of the spectacular examples include Edward Snowden, Chelsea Manning, Ahmad Abouammo, Paige Thompson, and Jon Frank.
[3] An excellent read on early challenges of network security is Cliff Stoll’s The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage. Cliff is also a highly entertaining personality and keynote speaker .
