Exploring the myths of Zero Trust

By Guy Matthews, Editor of NetReporter

Zero Trust is not a technology. It’s a state of mind, or perhaps a philosophical stance. So believes Rik Turner, Principal Analyst, Emerging Technologies with consulting firm Omdia: “It’s a mindset, and as such it involves as much of a cultural change in a company as it does any actual technology that you’re going to use to enable it,” he says.

Step one of this culture change, he believes, is to move away from previous security paradigms, such as ‘trust but verify’. “You used to log on at the gate, and they would check who you were, verify you, and once you were in, that’s it,” recalls Turner. “That no longer holds. It’s faulty and extremely vulnerable. The Zero Trust mentality is summed up as ‘never trust, always verify’.”

Zero Trust, he says, means no trust for any employee, partner, partner’s employee or contractor, at any time: “It’s across the board, from your internal employees all the way through to the third parties that you let interact with your system. No more trust for any of them.”

The future of getting on to a network lies in authenticating all parties, their identity and the security posture of their device every time they request access to any individual asset within your infrastructure: “It’s about asking for access to a particular application, to a specific asset, to a particular database, and even then only if they meet all the criteria,” notes Turner. “There may be criteria such as time of day. We don’t want just anybody dialling in at two o’clock in the morning, because that’s a bit strange. Equally we don’t want people who normally log in from the UK to suddenly dial in from China. There will be geographic limits here and there that you yourself can choose and set in order to frame the authentication and authorization of that individual.”

It is also important, says Turner, to continuously monitor what a person does once admitted to a network in case another individual hijacks their account: “Suddenly there’s somebody else who appears to have been authenticated at the entry point. So you have to keep an eye on them effectively throughout a session looking for anomalous behavior. Then you can either block them altogether, kill the session, or if you have some level of confidence that it is still them, you’d like to reaffirm that confidence.”

Turner talks of Zero Trust as sometimes seeming akin to ‘institutionalized paranoia’: “It would certainly be seen as paranoia in your social life,” he notes. “But we are talking about your corporate existence, and the need to defend your corporate assets, your data, your infrastructure, even your people, and sometimes Zero Trust is going to meet resistance. There will be people within your organization who say ‘this is a bit extreme isn’t it?’”

To broaden the conversation, Turner talks to a select panel of security experts from around the tech sector to find out what they are doing to help customers embrace Zero Trust.

“We tell them it’s about trying to give every device, user, anything that enters your network, the absolute lowest level of privilege that you can possibly give to them,” says Jordan LaRose, Director of Consulting and Incident Response, Americas with F-Secure. “But it’s not like you have to throw the baby out with the bathwater. You don’t have to completely strip out everything in terms of privilege. You really need to carefully consider how every single piece of your environment is put together.”

“The first thing we do to help our customers is enable them to do what’s now being called ‘shift left’, in other words build Zero Trust technology into the development and delivery lifecycle, rather than bolting it on later,” explains Galeal Zino, Founder and CEO with NetFoundry. “We’re enabling developers and DevOps and NetOps to do that, which makes life much easier for end users down the line. And then the second thing is what I call ‘journey plus destination’ where we want to give customers the ability to get their organization where they need to go, not just from a security perspective but a business perspective. We need to enable them to take an iterative approach to produce tangible business benefits.”

Chris Kent, Senior Director, Product Marketing with Hashicorp sees companies moving on from an on-prem world where trust was implied to more of a distributed world where there are multiple clouds and hybrid models: “We really believe that Zero Trust is predicated on the idea of authenticating and authorizing everything based on identity, the identity of the person, the identity of the machine, and that every action that is taken, everything has to be verified,” he says.

Gone are those days of the hardened perimeter, points out Vivek Bhandari, Senior Director of Product Marketing, Networking & Security with VMware. “Back then everything inside was good and anybody could access anything. Now there’s the mindset of the unwelcome guest within our environment. At VMware we’ve been talking to a lot of customers and realised that the environment has become very complex, and so what we are focusing on are some key areas where we have an intrinsic advantage with our platforms to help customers simplify and accelerate their journey to Zero Trust.”

Ian Farquhar is Field CTO (Global), Director, Security Architecture Team with Gigamon which he says has been involved in a lot of Zero Trust pilots: “It’s important to talk about practical, achievable outcomes because lots of people are asking how to make it work in the real world,” he says. “It’s a difficult transition and you need to troubleshoot and to diagnose and to verify the function of all the controls.”

Bhandari of VMware invites the analogy of somebody breaking into your house and then staying for weeks or months, going from room to room and listening in to conversations: “It’s untenable,” says. “We can’t imagine somebody doing that in our homes, but yet that is what is happening within our networks today, and that’s why there is all this need is for Zero Trust,” he says. “That’s why we have built in capabilities, leveraging our Carbon Black endpoint solution that is now integrated into the hypervisor for customers. Then you have an agentless experience where you can ubiquitously deploy best of breed EDR technology for server workloads.”

Kent of Hashicorp believes micro segmentation to be interesting and important: “Because one of the ways that we’re seeing the world change is this idea of stepping outside of the realm of the VPNs, the SD-WANs and going more on to the service level,” he says. “That’s why we have a product called Console, both in an open source and enterprise version, which allows for service networking while securing the access between two services. Database A can talk to application B, and any other request that comes in is just blocked. You’re also encrypting traffic between them.”

Farquhar says that Gigamon has also done a lot of work with micro segmentation, not only in the cloud environment but in the physical environment: “When we are doing Zero Trust, we need to look at the whole network,” he notes. “A lot of people view Zero Trust only through the lens of managed devices. Real networks don’t look like that. I’m sure many people heard the story of the casino in Las Vegas that got hacked through an IoT temperature thermometer in an aquarium in the foyer. The attacker got through and into the casino’s network. So how do we manage this? By looking at the network behavior of every device.”

So how to achieve more widespread Zero Trust adoption in the face of all this complexity and danger? LaRose of F-Secure doesn’t see security as a problem that you can solve but only mitigate: “It’s a problem that you can strategize around, but it’s not something where you’re going to find a silver bullet solution for. It’s something that plays into a wider security strategy that supports a Zero Trust methodology and gives you a chance against these attackers that are coming in through your microwave or through maybe even a microchip in the back of your mainframe.”

Zino of NetFoundry adds that the objective of any company is not Zero Trust, or even security: “It’s delivering an awesome experience to their customers,” he says. “It’s innovating. Those are the actual business goals. Modern companies with modern architectures are multi-cloud. The compute is all over the place it will increasingly be at the edge as well. We are moving to a distributed compute world where it’s all about the application, not the network. Obviously, no network should be trusted. That’s not the job of the network. The job of the network is to deliver packets. When we make it about the application and we identify, authenticate and authorize based on a number of factors that have nothing to do with the network, then we can properly enable application access not just from a security perspective, but also from a business velocity, agility extensibility perspective.”

  • Editor’s viewpoint: Many people feel somewhat confused about exactly what is meant by ‘Zero Trust’, writes Guy Matthews, Editor of NetReporter. At NetReporter we call it a security framework that demands that all users of a network, and all devices that wish to attach to that network, be authenticated, authorized, and validated on an ongoing basis before being given access to applications and data. Initially coined in 2010 by an analyst from Forrester Research, it is a model that moves beyond the idea of a traditional network edge, acknowledging that networks can be local, based in the cloud, or a hybrid of the two, with resources and users that might be located anywhere. It is increasingly being seen as the basis for securing infrastructure and data in an era of digital transformation, addressing modern cloud-related challenges such as securing remote workers, managing complex cloud environments, and seeing off ransomware threats.