With Zero Trust, What’s Old Is New—and Critical
Zero trust is more than window dressing.
More than just a technology focus, zero trust (ZT) is an invitation for all of us to think differently about cybersecurity. We are losing on the cybersecurity battlefield, and continued investment in more advanced versions of the same architecture patterns will not change that.
Zero trust is a recurring theme in the Biden administration’s May 2021 cybersecurity executive order, which has generated online discussions, white papers and guidance across public and private sectors, including the critical infrastructure community. More recently, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and the Office of Management and Budget released a series of key documents for public comment. These documents include the Federal Zero Trust Strategy, the Zero Trust Maturity Model and the Cloud Security Technical Reference Architecture.
ZT dialogue tends to circle around the phrase “Never trust, always verify,” which essentially means we need to throw out implicit trust in network-connected devices and focus instead on authenticating and authorizing access to resources with every transaction. In short: no implicit trust of users or endpoints.
If this all sounds familiar to you, it is. ZT’s pedigree dates back before then—Forrester Research’s John Kindervag popularized the term in 2009. One early source is the Jericho Forum in 2004, which explored the need to manage access to data in an ever more decentralized world: a concept called de-perimeterization. Even back then, it was clear that reliance on establishing trust at a rapidly disappearing network perimeter did not provide sufficient security. If you haven’t read the Jericho Forum Commandments, they are a quick and informative introduction to the foundation of ZT.
What about risk management framework, defense in depth and DevSecOps? Nothing is tossed aside with zero trust.
Where to begin? If you haven’t started yet, we recommend reading The MITRE Corporation’s "Zero Trust Architectures: Are We There Yet?" The executive summary and introduction are easy to digest and provide a nice foundation that summarizes the literature to date. Then tackle the National Security Agency’s "Embracing a Zero Trust Security Model."
It provides a sobering reasoning for ZT and summarizes the guiding principles and design concepts around it. Finally, we recommend reading and tracking all three of the previously mentioned documents from the Office of Management and Budget and the Cybersecurity and Infrastructure Security Agency. The authors of these guidance documents are collaborating closely to maintain cognitive alignment. After synthesizing public feedback on these documents, we can expect updates and extensions to other core publications such as the National Institute of Standards and Technology’s SP 800-207.
If we have had these concepts for so many years, what has changed? Why should we care now?
Bluntly, enterprises, private and public sector, have done a poor job addressing de-perimeterization and the decentralized management of resources. Enterprises maintain a continued reliance on security architectures based on implicit trust. Bad actors take advantage of this fact to gain footholds behind our security lines and move laterally across our networks, exploiting data and privacy at an alarming rate. The castle-and-moat security design that puts the defenses on the perimeter and trusts everything inside the wall is very much alive, and this new ZT dialogue forces us to question why.
It’s tempting to call this yet another security trend, but ZT is far more than a window dressing on established security principles: it puts authentication, authorization and end-to-end security front and center.
Bottom line: we need to stop trusting based on whether a system or user is authenticated to a virtual private network or lives inside the network.
This article is the first in a series that will explore ZT and cyber resiliency, the journey to ZT and similar topics. Also, look for SIGNAL Magazine’s December issue, which will offer Zero Trust as a central theme.
John Dvorak is a member of the AFCEA Technology Committee and AFCEA Zero Trust Strategies Subcommittee and an emerging technology specialist for Red Hat. He is a former member of the senior executive service and private sector chief information officer and chief technology officer.