Zero Trust

The history, context, and co-opting of Zero Trust

Mar 04, 2022
Defining Zero Trust #1

This is the first commentary in the series “Defining Zero Trust Security.”

Recently, I learned of a company that claimed to be "the best Zero Trust network security provider." (Emphasis added.)

Hmm. Zero trust and network access? More like chalk and cheese. Oil and water. They’re antithetical. Mutually exclusive. And their pairing in this company’s marketing brag is preposterous.

That company’s cynical effort to hop on the ZT bandwagon highlights a challenge in defining zero trust security for the modern enterprise: Everyone knows they need it, but not everyone understands what it is. Capitalizing on the term's marketing value and vague definition, hardware companies cynically co-opt it, distorting Zero Trust's definition to fit their own (outdated, flawed, and unsafe) security model.

Reducing trust-based access to…zero
The zero trust concept is now more than a decade old. Its genesis began with an acknowledgment of risk...risk that was widely known, widely accepted, yet not widely questioned by enterprise IT leaders: that issuing trust to grant access to a corporate system introduces preventable (and excessive) business risk. Forrester Research analysts recognized the vulnerability of trust-based access, and proposed a new zero trust framework based on least-privileged access and the presumption that all data should be viewed as potentially hostile at all times and in all phases of its travel.

Zero trust, as defined back in 2010, seemed a visionary ideal: "If we minimize trust, then we reduce unauthorized access to corporate systems." There was just one problem. Perimeter-based network security systems couldn't achieve that. And they still can't.

Then and now, any security gateway that grants access to a corporate network is, by its very design, vulnerable to attack. In this legacy model, connectivity is indirect: Users who need application access are placed on a network first, then able to travel to the application. Unfortunately, in this kind of environment, trust must be issued to some extent because the user is gaining access to every single system connected to the network: "You work in HR? Well, we trust you to use only HR-related systems, and not these other accessible resources (R&D, engineering, finance) on the same network."

Worse, the network security environment is only as strong as its weakest link. If an intruder breaches one network endpoint, that threat actor can move around the network with impunity. That freedom of movement violates a key Zero Trust tenet: That all data be seen as vulnerable at all times, and be challenged at any point of transit.

The achievable, practical, scalable Zero Trust Architecture
Today, the zero trust ideal is achievable, but only with an architecture designed to support it. A Zero Trust Architecture (ZTA) decouples security from the network by decoupling application access from network access. A ZTA bases its dynamic security on context and identity (and not IP address). A ZTA connects point A to point B directly and ephemerally through a cloud-edge-delivered Zero Trust proxy. The “cloudiness” of such a solution offers scalability that hardware cannot match. You can only achieve that scalable, direct, ephemeral connectivity with a SASE-compliant ZTA like the Zscaler Zero Trust Exchange.

Digital transformation is a journey, one that many F2000 organizations have already embarked upon. It’s not an overnight step, nor is it a “lift-and-shift” operation. Often the biggest obstacle to transformation is inertia. For IT teams that have done things a certain way for decades, change can be disorienting. Vendors peddling legacy network-based security models know this, and have co-opted "zero trust" in an effort to maintain the (unsecure) status quo. As zero trust has become popular, every company has become a Zero Trust company overnight. But it's much easier to create PowerPoint slides than it is to build truly secure Zero Trust solutions.

Thirty years ago, we relied on access to a “trusted network.” But today’s world is different. Application transformation is happening, whether IT leaders and legacy system vendors are ready for it or not. Workers are embracing SaaS, public cloud, and mobility. Network and security must be viewed through a different lens. A zero trust architecture like the Zscaler Zero Trust Exchange prevents compromise, blocks lateral movement threat, prevents data loss, and leverages advanced AI/ML analytical tools for identity and context.

We can reclaim "Zero Trust" from cynical network security marketers. We can drive cultural change in organizations blocked by inertia. And we can begin the digital transformation journey with zero trust security.