“Zero Trust” is a Misnomer
“Zero Trust” is the cybersecurity industry’s latest buzzword. In his recent piece, “Zero Trust Is an Initial Step on the Roadmap to CARTA,” Gartner analyst Neil MacDonald explains the zero trust approach with amazing clarity about trust itself.
MacDonald explains that neither trust, nor lack of trust, can be absolute or static. In fact, zero trust is just a starting point, as trust is required in order for work to actually take place. But this means that trust should never be implied; it should be established. Once this is done, trust must be assessed continually, with mandatory visibility into interactions to validate expected behavior.
As MacDonald notes, “Zero-Trust Networking” is probably the more accurate way to state what most customers are trying to achieve. A user or a server being on a specific network cannot be a factor in establishing trust. An IP address is not a "label" that can represent trust. Any access elements that use IP address to grant or deny access should be considered antiquated.
I see Neil’s thoughts aligned with many industry leaders who are driving their businesses to adopt a digital world. A digital business is required to run identically regardless of users' location or network connection. As long as they have access to the internet, business must run. Tying trust to a network invariably stops an organization from adopting digitalization. In the worst case, entire VPCs get added to internal "trusted" flat networks and expose the business to way too much lateral risk. As organizations move to software-defined architectures and cloud-based DCs, it is critical that they don’t use legacy controls to connect networks to networks.
MacDonald calls out several key points for organizations creating a more secure environment:
- Firewall-based security can be “initially effective,” but “creates excessive trust” that can be abused from both inside and outside the network. As MacDonald notes, a “trusted/untrusted network security model is a relatively coarse and crude control.”
- Legacy perimeter controls are not designed for trust-based security in a world of mobile users and unmanaged devices. MacDonald explains: “Trying to restrict access to applications and services for mobile users based on IP addresses is futile, and forces users to perform network gymnastics to route their traffic through on-premises systems for access—even for SaaS applications.”
- Identity is the new perimeter, and east-west/north-south distinctions don’t apply anymore. In MacDonald’s words, “Perimeters should become more granular and shift closer to the logical entities they are protecting—notably the identities of users, devices, applications and workloads (including networked containers in microservices architectures).”
To improve an organization's security posture, MacDonald recommends implementing two zero trust networking initiatives in 2019: microsegmentation and software-defined perimeter (SDP). In the coming weeks, look for more perspectives from me on this and related topics, including continuous trust assessment, the role of identity managers, SOC, inline enforcement engines, and more.
Get your copy of Neil MacDonald’s Gartner report: “Zero Trust Is an Initial Step on the Roadmap to CARTA."
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Dr. Manoj Apte is Chief Strategy Officer at Zscaler.