Some of the comments centred around pushback from internal stakeholders and other staff. One CIO said the feedback they received when they started talking about zero trust initiatives was that it was perceived to imply that the IT department did not trust the staff. Another was that staff felt that the term suggested there were hackers inside the organisation. Both assumptions were false, but the name required further explanation. For many of the forum’s participants, it is essential to get staff on board for security initiatives to work, and as such a growing number were not using the term zero trust outside of their respective IT department.
According to an authoritative book on the subject: “Zero Trust Networks”, O’Reilly Media Inc, 2017 (Evan Gilman, Doug Barth) – “The Zero Trust Model treats all hosts as if they’re internet-facing, and considers the entire network to be compromised and hostile. By taking this approach, [zero trust] focuses on building strong authentication, authorisation, and encryption throughout, while providing compartmentalised access and better operational agility.
However, as an operating model and not a codified standard like say HTTPS – how to get to this position is up to each organisation. And what elements are at the core of zero trust may differ depending on individual needs and technology vendor positioning.
Even when deployed, some organisations don’t even consider that they have adopted this position. A recent case study call with a financial services organisation is a case in point. Although it had deployed many of the elements of a zero trust model including deep Identity and Access Management (IAM) controls including Multi-Factor-Authentication (MFA), device host checking and an always-on VPN, when directly asked about zero trust replied; “No… we have not deployed zero trust – that’s not for us… ” even when, by most measures, they were pretty close to the ideal zero trust position.
Zero trust adjacent
This feedback from the forum and internal discussions has prompted us and several other vendors to position our technology in different ways. Identity-centred security has many of the zero trust elements at an architectural level. However, the rewording of the concept to focus on establishing a trusted identity better aligns it with the broader societal requirements of assuring and securing personal identity as a core cybersecurity best practice. In our view, identity is the fundamental foundation for any transition – as until you can secure the who? Then every other part of the zero trust model is weakened and ultimately flawed.
There are other zero trust style descriptors such as Gartner’s Continuous Adaptive Risk and Trust Assessment (CARTA). The analyst firm defines how organisations can reach this position with its
“Seven Imperatives to Adopt a CARTA Strategic Approach” by Neil MacDonald that set out a roadmap. The 2018 report was widely republished and offers seven commandments namely:
● Imperative No. 1: Replace One-Time Security Gates With Context-Aware, Adaptive and Programmable Security Platforms
● Imperative No. 2: Continuously Discover, Monitor, Assess and Prioritize Risk — Proactively and Reactively
● Imperative No. 3: Perform Risk and Trust Assessments Early in Digital Business Initiatives
● Imperative No. 4: Instrument Infrastructure for Comprehensive, Full Stack Risk Visibility, Including Sensitive Data Handling
● Imperative No. 5: Use Analytics, AI, Automation and Orchestration to Speed the Time to Detect and Respond, and to Scale Limited Resources
● Imperative No. 6: Architect Security as an Integrated, Adaptive Programmable System, Not in Silos
● Imperative No. 7: Put Continuous Data-Driven Risk Decision Making and Risk Ownership Into Business Units and Product Owners
These imperatives are helpful in setting out a roadmap and several of the forum members mentioned that they were following CARTA as a blueprint for transitioning their respective security positions.
The wider concept of zero trust is gaining a boost from the National Institute of Standards and Technology (NIST), part of the US Department of Commerce. NIST is responsible for developing information security standards and guidelines, including minimum requirements for [US] federal information systems. NIST is a powerful body and behind a number of mandated standards such as Federal Information Processing Standard (FIPS) 140-3, that dictates the level of encryption used by federal agencies.
NIST is currently working on codifying zero trust into potentially a federal standard. Part of that standards creation process was a survey of leading security vendors that in its most recent report on the subject recognised that there is still a “…lack of a common framework and vocabulary for ZTA [Zero Trust Architecture]” and few “…documented end user experience in an enterprise with a ZTA”. However, the current “NIST Special Publication 800-207 - Zero Trust Architecture” makes excellent reading for any CISO or CIO that is tasked with implementing a better security position. And crucially, it is not coloured by any vendor bias.
It is interesting to note that all our forum participants agreed that zero trust, or a similar rose by any other name, would ultimately become their position for cyber security within their organisation. A situation that has been accelerated by the ongoing health crisis that has prompted more home working. The limiting factors were commonly time, budget, or lack of human resource due to other pressing projects. Although many were at different stages, each one of them had included identity as the central tenant and each agreed that the current “perimeter centric” approach is obsolete.