Globally there is more and more attention for Zero Trust. Tech companies like Google and numerous US government agencies, including the FBI, have used the Zero Trust principles to set up their security infrastructure. This increasing popularity also means that more and more is written about it. Unfortunately, the many online publications show that there are quite a few misgivings – and that not everyone understands what exactly is the purpose of Zero Trust.
Arguments why Zero Trust shouldn’t work
A position we’ve encountered several times is that Zero Trust is an ‘unrealistic’ security model. The following two factors would prevent a successful implementation of Zero Trust:
- Existing applications are not completely capable of implementing strict limitations per user, as the Zero Trust model prescribes;
- Organizations are not capable of changing their mindset and conforming to the Zero Trust model.
But is this even what Zero Trust is all about?
The question is, of course, whether or not this actually turns Zero Trust into an unrealistic security model. What is the thought behind the Zero Trust model and – to answer the question that is explicitly asked – how unrealistic is the Zero Trust model?
The Zero Trust security model defines a transformation strategy based on 5 basic steps, which are described by founder of the Zero Trust model, John Kindervag, on DARKReading.
A means and not an end in itself
Is Zero Trust limited to the definitions of these 5 steps, or does Zero Trust go beyond? Personally, I believe that it’s not even about that. The five steps that John Kindervag outlines are a means to reach an end, and not an end in itself. At the end of the day, Zero Trust is about mitigating risks. Reducing risks of data leaks and data loss, regardless of the cause.
This means that you have to use a combination of sensors and measures to gain insight in what happens to your date, to ensure you gain control over who or what has access to specific data at what time and in what way.
Or, by implementing security around your data based on the 5W1H-method: who has access to what from where, when is this access allowed and how should this access be arranged?
Zero Trust goes beyond
To return to the statement that many applications (landscapes) can’t even give details of the first W (who), this statement might have a point. However, Zero Trust doesn’t stop when your application landscape can’t follow.
When your application landscape is incapable of executing user-based access control, you may already be using other control points, like firewalls or load balancers, who can answer the who-question.
The first steps towards the Zero Trust-model
If you can’t answer any of the w’s or h’s, this doesn’t mean you’re not able to take the first steps towards the Zero Trust model. By first implementing sensors, you can at least gain insight in your current situation.
Regardless of how bad it is from a security standpoint, consider it your baseline, and start from there on out with improving, based on John Kindervag’s 5 steps. Sometimes the first step can be as simple as placing a sensor between your users and their applications/data.
It is not about a 100% Zero Trust-score
This also means – coming back to the second argument – that there is no requirement for your organization to be completely ‘Zero Trust ready’. Zero Trust isn’t about achieving a 100% Zero Trust score in your environment.
The Zero Trust model is about constantly improving your security position by gaining insight in the use of and the access to data, implementing security controls, evaluating where you currently stand, determining follow-up steps and then repeating this process to continue improving your security standpoint – and keep reducing the risk you run.
Or, by following the Plan-Do-Check-Act cycle, a well secured process that can be found in almost every organization. A mentality change is therefore not so much a requirement; this mentality has usually already been there for a long time. The way in which you can then complete this cycle is, by example, by using the five steps that John Kindervag describes on DARKReading.
How realistic is the Zero Trust-security model?
So, how realistic is the Zero Trust security model? It is actually not the right question to be asking. If you phrase it like that, you’re saying Zero Trust is an end goal, whereas Zero Trust was never meant to function as an end goal. It has never been Zero Trust’s goal to get to a point where everyone can say they are 100% Zero Trust.
Zero Trust is about mitigating risk, not about being feasible. It is a way to handle your data from a security standpoint. Zero Trust is the north star we use to guide us through the IT security landscape.
The sources below provide more information about Zero Trust:
Product Owner Cloud Security, Security Architect