This post is also available in: 日本語 (Japanese)
Trust was historically the barrier to widespread implementation of remote work. That is, employers wondered if they could trust employees to do the right thing when they weren’t in the office, delivering the same level of performance or productivity when faced with the distractions of home. Until recently, working remotely in the comfort of home was perceived as a rare permission or privilege. As part of dealing with the challenges of the past 18 months, people adapted to completely different ways of living, learning and working. That missing trust in employees seems to suddenly be adopted and effectively so. But, trusting remote workers is very different from implicitly trusting the technology they use.
What is “trust” if not an emotional brain state that is reached when there is belief that someone will behave in certain ways? Employers can and should trust employees. But, there’s a second element of trust involved in remote work. We use technology to mediate between where workers are and where the information they need to access is stored. Trouble starts to appear when access from these users’ devices is loosely granted to data, applications and IT systems.
In cybersecurity, for example, you’ll often see mentions of trusted networks, channels, interfaces, devices, certificates, credentials and many other elements of the IT infrastructure that have been personified, in order to achieve simplification. This perception of trust comes from the implicit belief that these components have somehow earned the right to be used without restriction, most likely because of their present location or the fact they have proven their identity at least once, successfully.
This is what we call “Implicit Trust.”
Here are some of the most basic questions any attacker will go through while planning the compromise of an IT system:
- Where does the trusted network end?
- How many systems can be reached from this trusted device?
- What can I access by using this combination of trusted username and password?
What do these questions have in common? They all rely on the assumption that an implicitly trusted component can give an attacker a clear offensive advantage.
Attackers do indeed gain an advantage when they are able to take control of a machine that is implicitly trusted and therefore access other systems without any further security checks.
On the other hand, if adopted correctly, Zero Trust thwarts this advantage, by removing the concept of trust from the decision making related to accessing information and interacting with digital assets.
Even though Zero Trust recently celebrated its 10th anniversary, why don’t people and organizations fully understand what Zero Trust means and how it should be implemented?
This mostly has to do with the fact that the term Zero Trust tends to be misused or misinterpreted to fulfill the agenda of vendors looking to make their solutions more attractive and compelling. Products offering Zero Trust Network Access (ZTNA), software defined perimeters (SDP) or even identity defined perimeters (IdP) are attempting to claim their right to be listed as silver bullets of a Zero Trust architecture without really considering that in order to achieve Zero Trust for the whole enterprise, we need to strategically remove implicit trust from IT systems and constantly validate every digital interaction in the process.
This really means that specific capabilities are required to be successful in deploying Zero Trust strategically, but while adopting them, we need to carefully consider how we are going to deal with the myriad of individual products and vendors that claim to solve an individual problem related to implicit trust.
What is a firewall, if not a tool to remove implicit trust among networks and IP addresses? But, for any traffic allowed by the firewall, should we trust the identity of the user or device behind it? We need an identity solution to solve that implicit trust problem. But then, what about the devices users are connecting from? Can we trust that they have not been compromised? This is when, historically, endpoint security solutions were introduced to remove another layer of implicit trust.
The problem with this approach is that it never ends and every implicit trust problem generates the need for an additional product or solution that will try to mitigate it.
Can we trust the actual traffic from authenticated users? We need IDS/IPS for that. What about files sent between devices? Network Anti-Virus and Sandboxing are required and so on…
Based on the above, it is not a mystery that businesses adopting cyber-security solutions are forced to do so in a very piecemeal approach and proceeding in a tactical, disjointed fashion.
When every single solution in the market solves a small piece of the big trust problem, how many do we have to adopt and how do we manage to make them all work together?
This perspective needs to be reversed and in order to solve the issues with Zero Trust that have been pervading cybersecurity for over a decade, we require to focus on the strategy first, and the technology later. Understanding that identity, device integrity, access control and continuous inspection are required at all times to achieve Zero Trust, is very different from adopting and deploying products that only tackle an individual cybersecurity issue, without aligning to the bigger picture of a strategic approach. Cybersecurity itself should always align to business outcomes, and practitioners should realize that their goal is not to catch the bad guys, or prevent the next 0-day, but to keep the business running at all times even when swamped in a myriad of cyber attacks on a daily basis.
This is why at Palo Alto Networks we have developed specific design services around Zero Trust that take care of understanding business priorities and critical assets, even before discussing the correct architecture and capabilities required to achieve Zero Trust, shifting the conversation from “what product should I buy to get to Zero Trust?” to “how mature are my Zero Trust capabilities, and where am I applying them?”
In conclusion, if we approach Zero Trust with a strategic mindset, instead of technology adoption, all the issues and misunderstandings around its nature are bound to disappear and the ultimate goal of cybersecurity – maintaining business continuity in spite of cyberattacks – becomes a realistic and achievable outcome.
I Have Zero Trust Issues Blog Series
For all the reasons outlined, I started the “I Have Zero Trust Issues” blog series that covers misconceptions around Zero Trust and how the term is inaccurately used throughout the cybersecurity industry to sell individual point products that have created a fragmented market, too difficult to consume and always a step behind in removing implicit trust.
My intent is to ensure that we help both the cybersecurity industry and its practitioners get it right with Zero Trust, once and for all. We will demonstrate that a Zero Trust strategy is not only achievable, when approached from the correct angle, but also cost-effective and frictionless to both established and future environments.
Through the series, be prepared to explore use cases, scenarios, technologies, platforms and discuss how they complement or contradict the design and capabilities Zero Trust requires. In doing so, I am confident we will be able to bring back the focus and true value of the most effective cybersecurity strategy available today.
Have a look at the first follow-up blog: “I Have Zero Trust Issues with ZTNA,” which covers the contradictions of a set of products that were accidentally named after Zero Trust to begin with.