Cybersecurity is notorious for its cryptic terms and overhyped trends, and “zero trust” might currently be the most cryptic and hyped of them all.
It’s also a real concept, and probably the best hope we have today of putting a stop to the onslaught of cyberattacks, experts say. Still, confusion about which security tools can genuinely help to deliver the promise of zero trust, and which ones are just pretending to live up to its potential, is a growing problem.
Without a doubt, zero trust is “the most abused and the most misunderstood term in security today,” said Heath Mullins, a senior analyst at Forrester.
Depending who you ask, zero trust is an architecture, a strategy, a goal — or probably, all of the above. The concept of zero trust first gained momentum at Google in the wake of the 2009 “Aurora” attacks, attributed to Chinese government hackers, which included the theft of source code from the company. As a security term, “zero trust” was popularized starting in 2010 by John Kindervag, then a Forrester analyst.
However you prefer to define zero trust, its potential is huge for organizations to improve their security by adopting the principles associated with it, such as bringing stronger control over access to corporate resources and ensuring that users aren’t authorized to do more than is necessary for their role, according to experts.
But with all of the hype and misappropriation of the idea, information security practitioners are pretty burned out on the term at this point, said Matthew Prince, co-founder and CEO at Cloudflare, which counts zero trust security technologies as one of its core focus areas.
“Literally every vendor is saying, ‘We do zero trust,’” Prince told Protocol. “The risk is that if everything is zero trust, then maybe nothing is.”
For Mullins, among the most common questions he gets is from a client that has just deployed a new cybersecurity tool and wonders, “Am I zero trust now?”
The answer, overwhelmingly, is no.
The risk is that if everything is zero trust, then maybe nothing is.”
That’s because zero trust is not something you can buy in one package. There are plenty of tools that can help an organization start to embrace the concept — including across identity security, access management, and network segmentation — but no single product that can deliver the whole thing.
“There’s nobody out there that does everything,” Mullins said. “The first company to get there is going to clean house.”
A recent survey from the Cloud Security Alliance found that the majority of organizations, 80%, now see zero trust security as a priority. Nearly as many, 77%, planned to boost their spending related to zero trust over the next year, according to the survey.
Trust no one
The question of what zero trust actually means remains a common one. But maybe an equally instructive question, at this stage of the game is, what does it not mean?
Alex Weinert, vice president and director of identity security at Microsoft, has a favorite quote on zero trust, he said during a recent online panel hosted by Protocol. Weinert once asked a chief information security officer to define zero trust, and the answer he received was, “It means whatever the person on the other side of the table is trying to sell.”
Less flippantly, zero trust can be seen as an organizing principle for how to stop modern cyberattacks. Today attackers tend to follow a certain trajectory: After gaining initial access to an environment, they move around on the network, take over additional accounts, and elevate their account privileges to let them take additional, more damaging actions.
While the result might be the deployment of ransomware or the theft of valuable data, the attacker must navigate through IT environments before they can actually reach that point. It’s during those phases of an attack that an organization has an opportunity to shut things down and lessen the damage from a breach. The promise of zero trust is that an attacker who steals a password or manages to thwart multifactor authentication won’t necessarily succeed at achieving their end goals.
There are different ways to accomplish this, such as by examining data about a user’s device or behavior before deciding to grant access to a sensitive resource or by breaking up an IT environment into different subsegments that can each have their own policies.
But the unifying idea is that “trust” needs to be eliminated from the equation, specifically, “implicit” trust, according to Weinert. In other words, users shouldn’t be automatically trusted to access applications and data just because they were able to authenticate and gain access to the network.
The promise of zero trust is that an attacker who steals a password or manages to thwart multifactor authentication won’t necessarily succeed at achieving their end goals.
Instead, in order to allow access to a sensitive resource, “we explicitly verify the aspects of that request,” Weinert said.
While Google’s “BeyondCorp” initiative in the wake of the Aurora attacks gets the credit for blazing the trail on zero trust, there’ve been many attempts since then to simplify the concept for businesses that don’t have the same resources or complexity found at Google, but still have valid cybersecurity concerns and a budget.
Implementing a zero trust architecture has become a bigger priority amid intensifying cyberattacks as well as the shift to work-from-home, which moved countless workers outside the safety of the corporate firewall. That’s driven the need for a more secure approach than the virtual private network, or VPN, which is supposed to be a “secure tunnel” from a client device to a protected corporate network but has actually turned out to be highly vulnerable. For instance, the 2021 ransomware attack against Colonial Pipeline, which led to gas shortages across the Southeastern U.S., stemmed from a compromised VPN password.
‘More confusion than clarity’
Some security product categories are overtly associated with zero trust, such as zero trust network access, which is a VPN replacement that’s built around zero trust principles. For instance, zero trust network access tools can use additional data sources to verify a user beyond just their credentials, such as their location or the security posture of their device.
But deploying that particular technology doesn’t single-handedly achieve zero trust. And given the fact that zero trust does incorporate a variety of different technologies, that’s led a number of cybersecurity vendors to take some liberties with the term.
At the RSA security conference in June, for instance, “every vendor on the show floor had zero trust in their marketing, to some degree,” Forrester’s Mullins said. “It’s created more confusion than clarity.”
That brings up the second question: What isn’t zero trust?
For starters, “It isn’t every single security control in your environment,” said Andrew Rubin, co-founder and CEO of zero trust segmentation vendor Illumio, during Protocol’s recent panel.
In particular, traditional firewalls meant to support the corporate “perimeter” are clearly not capable of helping with zero trust.
That hasn’t stopped vendors that offer traditional network firewalls and VPNs, which “all try to claim they are zero trust,” said Jay Chaudhry, founder and CEO of Zscaler, a major zero trust network access vendor, in an interview with Protocol in June.
“Zero trust was created to overcome the network architecture,” Chaudhry said. “Firewalls and VPNs, versus zero trust, are fundamentally opposite."
“Don’t listen to a vendor when they talk about [the definition of] zero trust. It is going to be biased.”
Zero trust is a “complete paradigm change,” according to Cloudflare’s Prince, and “there is a natural inclination to try to get everything old to fit into the new paradigm.”
“Anytime that you’re talking about a perimeter, then you’re probably not in a zero trust model for how this new paradigm works,” he said.
Rather than placing limits on what users are trusted to do, fundamentally, the traditional network security approach was about defining the trusted local area network, Prince noted.
“And so when I hear traditional firewall vendors saying, ‘We’re doing zero trust,’ that’s where I’m like, ‘That just doesn’t make any sense,’” he said.
Who can you trust?
Kapil Raina, vice president of zero trust marketing at CrowdStrike, has a rule of thumb for determining if a product has anything to do with zero trust or not: Check it against the National Institute of Standards and Technology.
According to NIST’s 2020 publication on zero trust architecture, the crux of zero trust is around secure access — and making sure that the right people have it and that the wrong people do not. “The goal [is] to prevent unauthorized access to data and services coupled with making the access control enforcement as granular as possible,” the publication’s authors said.
If a security product lines up with something in that document, then it has a valid claim to helping to achieve zero trust, Raina said. Despite working for a major security vendor, his best advice is to trust NIST, not the industry.
“Don’t listen to a vendor when they talk about [the definition of] zero trust,” he said. “It is going to be biased.”
Anybody who claims they can deliver zero trust quickly or easily should also be treated as suspect, according to Mullins. Most organizations are still in the early stages of working toward a zero trust security posture because it takes time, he said.
“You’re not going to do it in a year,” Mullins said. “If you can do zero trust in a year, please call me and tell me how you did it.”