Zero Trust is an increasingly popular concept within cyber security and it’s one that business owners should be paying careful attention to. In this article, we explore what Zero Trust is and the factors that should be considered before implementing it.
A defining characteristic of cyber security in the last quarter of a century has been its domination by discrete technologies such as anti-virus software, firewalling, intrusion detection, pen testing, sandboxing, threat intelligence, biometrics, and AI automation.
The problem is that clever technology alone hasn’t been enough to stop cyber attacks from getting steadily worse. Organisations implemented each generation in a best-fit manner, often quite chaotically, before a new one arrived to replace or supplement it. What was missing was a simple big idea to bind these components into a larger whole with greater rigour and conceptual depth.
After searching for this game-changing idea for a long time it seems that the industry has finally found a good-looking candidate called zero trust (ZT). If you doubt the prominence of zero trust, run a Google search on the term and it’ll return an extraordinary 645 million results, most from the last three years.
It’s become so important that none other than US President Joe Biden mentioned it in his now famous May 2021 White House executive order to improve national cyber security within 60 days:
“The Federal Government must adopt security best practices; advance toward Zero Trust Architecture…”
It went on to mention other improvements needed such as centralising analytics and using cloud security services, but it was hard to miss that zero trust has been placed at the top of the list.
First Principles of Zero Trust
But what is Zero Trust and why has it grabbed so much attention so quickly?
Who coined the term is unclear, but it was popularised by then Forrester analyst, John Kindervag, during a presentation in 2009. Building on the earlier work of the British Jericho Forum on de-perimeterisation, he observed that an important root of many security problems was the way organisations designed cyber security around increasingly obsolete notions of trust.
If you were inside the network perimeter your identity was trusted, which meant that you could log on using nothing more robust than a username and password. Bad people like hackers, by contrast, were always outside the perimeter looking in and would be detected as they passed through security checkpoints such as firewalls.
Except, of course, the perimeter was now everywhere, inside and outside the network, on many different devices in many places, including ones that were machines talking to one another and not even people. Simply trusting a digital identity was madness – identities could be stolen or hijacked by malware too easily.
Kindervag’s idea of Zero Trust was based on two simple observations: expecting the perimeter security model to keep people out was doomed because, like a building with draughty doors, modern networks had too many access points and weaknesses for that to work.
Second, the logical solution to this was that no device, user, or connection should automatically be trusted without careful verification. Every entity connecting to a network, or within a network, was a potential threat no matter which identity is used, where it was connecting from, and what it was connecting to. Modern malware meant that even legitimate users posed a risk.
What ZERO Trust Means for SMEs
If there’s a hitch with Zero Trust it’s that while it tells organisations what to do, it doesn’t tell them how to do it. Making it work on the ground can be daunting because it leaves open the whole question of implementation.
For example, should organisations ditch unreliable security protections such as passwords and impose tougher authentication? That sounds straightforward until the organisation discovers it still depends on a hard-to-replace legacy application that can’t verify using anything else.
Another issue is that once you abolish trust, that means nothing should trust anything. Networks no longer trust remote users while users should no longer trust networks in return. The need to authenticate things increases dramatically. In a sense, everything – users, devices, applications, and data – becomes its own perimeter, monitoring everything else with suspicion.
But it gets worse. Should devices even trust themselves? After all, sophisticated malware can lurk hidden inside a single application or piece of low-level firmware anti-virus can’t monitor. This suggests that PCs should have their own internal gateways that constantly check and verify each other.
Networks this paranoid can’t function easily, even if organisations knew how to build them. It’s a world where far from disappearing, perimeters and firewalling are everywhere – inside networks, inside devices, and inside applications. It’s an interesting vision but it’s a potentially very complicated one.
In fact, we’re starting to see the first implementations of these principles in developments such as HP’s Wolf Security, a suite of verifications built into PCs from the firmware level up. Building on the Trusted Platform Modules (TPMs) already used in PCs to guard cryptographic keys, soon every business PC could have this sort of technology built in.
Future Challenges Presented by Zero Trust Approaches
One phenomenon that has sharpened interest in zero trust ideas is the movement for more people to work from home, something which decreases how much security teams can see in ways that raise the chances of a compromise.
An unintended short-term consequence could be that organisations take a shortcut to Zero Trust by locking down their remote users with strict policies, limited privileges, and contract penalties for anyone who tries to bypass this. This could easily start to exact a toll as users struggle with regular verification checks, killing productivity.
Despite these uncertainties, there’s little doubt Zero Trust is already a big influence and is here to stay. Most likely, the next generation of malware will respond to Zero Trust with new strategies to tunnel between trust zones. Zero Trust will make life harder for attackers, but it absolutely won’t stop them from trying.
NCSC Zero Trust
The National Cyber Security Centre offers eight principles around which organisations should implement Zero Trust network architecture:
- Know your architecture, including users, devices, services and data
- Know your User, Service and Device identities
- Assess your user behaviour, devices and services health
- Use policies to authorise requests
- Authenticate & Authorise everywhere
- Focus your monitoring on users, devices and services
- Don’t trust any network, including your own
- Choose services designed for Zero Trust
For further information about Zero Trust policies, including how best to implement them, you can find out more on the NCSC website.
