Zero trust – a rose by any other name…

At a recent forum of senior CTOs, CISOs and analysts, several participants expressed a dislike for the term ‘zero trust’. Comments such as the vagueness of the message, the way different vendors use it and the confusion it caused amongst users made some forum members steer away from its branding for both internal and external communication. The group all agreed that the concepts behind zero trust are sound, but many wanted a better way to describe it to their broader organisations. By Phil Allen, VP, Ping Identity.

Some of the comments centred around pushback from internal stakeholders and other staff. One CIO said the feedback they received when they started talking about zero trust initiatives was that it was perceived to imply that the IT department did not trust the staff. Another was that staff felt that the term suggested there were hackers inside the organisation. Both assumptions were false, but the name required further explanation. For many of the forum’s participants, it is essential to get staff on board for security initiatives to work, and as such a growing number were not using the term zero trust outside of their respective IT department.

Defining trust

According to an authoritative book on the subject: “Zero Trust Networks”, O’Reilly Media Inc, 2017 (Evan Gilman, Doug Barth) – “The Zero Trust Model treats all hosts as if they’re internet-facing, and considers the entire network to be compromised and hostile. By taking this approach, [zero trust] focuses on building strong authentication, authorisation, and encryption throughout, while providing compartmentalised access and better operational agility.

However, as an operating model and not a codified standard like say HTTPS – how to get to this position is up to each organisation. And what elements are at the core of zero trust may differ depending on individual needs and technology vendor positioning.

Even when deployed, some organisations don’t even consider that they have adopted this position. A recent case study call with a financial services organisation is a case in point. Although it had deployed many of the elements of a zero trust model including deep Identity and Access Management (IAM) controls including Multi-Factor-Authentication (MFA), device host checking and an always-on VPN, when directly asked about zero trust replied; “No… we have not deployed zero trust – that’s not for us… ” even when, by most measures, they were pretty close to the ideal zero trust position.

Zero trust adjacent

This feedback from the forum and internal discussions has prompted us and several other vendors to position our technology in different ways. Identity-centred security has many of the zero trust elements at an architectural level. However, the rewording of the concept to focus on establishing a trusted identity better aligns it with the broader societal requirements of assuring and securing personal identity as a core cybersecurity best practice. In our view, identity is the fundamental foundation for any transition – as until you can secure the who? Then every other part of the zero trust model is weakened and ultimately flawed.

There are other zero trust style descriptors such as Gartner’s Continuous Adaptive Risk and Trust Assessment (CARTA). The analyst firm defines how organisations can reach this position with its

“Seven Imperatives to Adopt a CARTA Strategic Approach” by Neil MacDonald that set out a roadmap. The 2018 report was widely republished and offers seven commandments namely:

● Imperative No. 1: Replace One-Time Security Gates With Context-Aware, Adaptive and Programmable Security Platforms

● Imperative No. 2: Continuously Discover, Monitor, Assess and Prioritize Risk — Proactively and Reactively

● Imperative No. 3: Perform Risk and Trust Assessments Early in Digital Business Initiatives

● Imperative No. 4: Instrument Infrastructure for Comprehensive, Full Stack Risk Visibility, Including Sensitive Data Handling

● Imperative No. 5: Use Analytics, AI, Automation and Orchestration to Speed the Time to Detect and Respond, and to Scale Limited Resources

● Imperative No. 6: Architect Security as an Integrated, Adaptive Programmable System, Not in Silos

● Imperative No. 7: Put Continuous Data-Driven Risk Decision Making and Risk Ownership Into Business Units and Product Owners

These imperatives are helpful in setting out a roadmap and several of the forum members mentioned that they were following CARTA as a blueprint for transitioning their respective security positions.

Emerging standard

The wider concept of zero trust is gaining a boost from the National Institute of Standards and Technology (NIST), part of the US Department of Commerce. NIST is responsible for developing information security standards and guidelines, including minimum requirements for [US] federal information systems. NIST is a powerful body and behind a number of mandated standards such as Federal Information Processing Standard (FIPS) 140-3, that dictates the level of encryption used by federal agencies.

NIST is currently working on codifying zero trust into potentially a federal standard. Part of that standards creation process was a survey of leading security vendors that in its most recent report on the subject recognised that there is still a “…lack of a common framework and vocabulary for ZTA [Zero Trust Architecture]” and few “…documented end user experience in an enterprise with a ZTA”. However, the current “NIST Special Publication 800-207 - Zero Trust Architecture” makes excellent reading for any CISO or CIO that is tasked with implementing a better security position. And crucially, it is not coloured by any vendor bias.

It is interesting to note that all our forum participants agreed that zero trust, or a similar rose by any other name, would ultimately become their position for cyber security within their organisation. A situation that has been accelerated by the ongoing health crisis that has prompted more home working. The limiting factors were commonly time, budget, or lack of human resource due to other pressing projects. Although many were at different stages, each one of them had included identity as the central tenant and each agreed that the current “perimeter centric” approach is obsolete.

By James Preston, Security Architect for ANSecurity.
By Tod Beardsley, research director, Rapid7.
It’s undeniable that cybercrime is quickly becoming one of the biggest threats to businesses today....
By Richard Hutchings, CTO at Littlefish.
For a long time many have thought of identity security as a necessary burden. All those passwords, a...
Turning privacy and governance into competitive advantage. By Joe Gaska, Founder and CEO of GRAX.
Ever since Snowden revealed the extent to which US intelligence agencies can so easily access our da...
By Peter Carlisle, Vice President, nCipher Security.