Why security teams are losing trust in the term ‘zero trust’

A key framework for how to secure against modern cyberattacks, zero trust has seen surging interest from business leaders — and been prone to misuse by many vendors.

A small yellow game piece standing at the entrance to a large maze

“The risk is that if everything is zero trust, then maybe nothing is,” said Matthew Prince, co-founder and CEO at Cloudflare.

Illustration: Christopher T. Fong/Protocol

Cybersecurity is notorious for its cryptic terms and overhyped trends, and “zero trust” might currently be the most cryptic and hyped of them all.

It’s also a real concept, and probably the best hope we have today of putting a stop to the onslaught of cyberattacks, experts say. Still, confusion about which security tools can genuinely help to deliver the promise of zero trust, and which ones are just pretending to live up to its potential, is a growing problem.

Without a doubt, zero trust is “the most abused and the most misunderstood term in security today,” said Heath Mullins, a senior analyst at Forrester.

Depending who you ask, zero trust is an architecture, a strategy, a goal — or probably, all of the above. The concept of zero trust first gained momentum at Google in the wake of the 2009 “Aurora” attacks, attributed to Chinese government hackers, which included the theft of source code from the company. As a security term, “zero trust” was popularized starting in 2010 by John Kindervag, then a Forrester analyst.

However you prefer to define zero trust, its potential is huge for organizations to improve their security by adopting the principles associated with it, such as bringing stronger control over access to corporate resources and ensuring that users aren’t authorized to do more than is necessary for their role, according to experts.

But with all of the hype and misappropriation of the idea, information security practitioners are pretty burned out on the term at this point, said Matthew Prince, co-founder and CEO at Cloudflare, which counts zero trust security technologies as one of its core focus areas.

“Literally every vendor is saying, ‘We do zero trust,’” Prince told Protocol. “The risk is that if everything is zero trust, then maybe nothing is.”

For Mullins, among the most common questions he gets is from a client that has just deployed a new cybersecurity tool and wonders, “Am I zero trust now?”

The answer, overwhelmingly, is no.

The risk is that if everything is zero trust, then maybe nothing is.”

That’s because zero trust is not something you can buy in one package. There are plenty of tools that can help an organization start to embrace the concept — including across identity security, access management, and network segmentation — but no single product that can deliver the whole thing.

“There’s nobody out there that does everything,” Mullins said. “The first company to get there is going to clean house.”

A recent survey from the Cloud Security Alliance found that the majority of organizations, 80%, now see zero trust security as a priority. Nearly as many, 77%, planned to boost their spending related to zero trust over the next year, according to the survey.

Trust no one

The question of what zero trust actually means remains a common one. But maybe an equally instructive question, at this stage of the game is, what does it not mean?

Alex Weinert, vice president and director of identity security at Microsoft, has a favorite quote on zero trust, he said during a recent online panel hosted by Protocol. Weinert once asked a chief information security officer to define zero trust, and the answer he received was, “It means whatever the person on the other side of the table is trying to sell.”

Less flippantly, zero trust can be seen as an organizing principle for how to stop modern cyberattacks. Today attackers tend to follow a certain trajectory: After gaining initial access to an environment, they move around on the network, take over additional accounts, and elevate their account privileges to let them take additional, more damaging actions.

While the result might be the deployment of ransomware or the theft of valuable data, the attacker must navigate through IT environments before they can actually reach that point. It’s during those phases of an attack that an organization has an opportunity to shut things down and lessen the damage from a breach. The promise of zero trust is that an attacker who steals a password or manages to thwart multifactor authentication won’t necessarily succeed at achieving their end goals.

There are different ways to accomplish this, such as by examining data about a user’s device or behavior before deciding to grant access to a sensitive resource or by breaking up an IT environment into different subsegments that can each have their own policies.

But the unifying idea is that “trust” needs to be eliminated from the equation, specifically, “implicit” trust, according to Weinert. In other words, users shouldn’t be automatically trusted to access applications and data just because they were able to authenticate and gain access to the network.

The promise of zero trust is that an attacker who steals a password or manages to thwart multifactor authentication won’t necessarily succeed at achieving their end goals.

Instead, in order to allow access to a sensitive resource, “we explicitly verify the aspects of that request,” Weinert said.

While Google’s “BeyondCorp” initiative in the wake of the Aurora attacks gets the credit for blazing the trail on zero trust, there’ve been many attempts since then to simplify the concept for businesses that don’t have the same resources or complexity found at Google, but still have valid cybersecurity concerns and a budget.

Implementing a zero trust architecture has become a bigger priority amid intensifying cyberattacks as well as the shift to work-from-home, which moved countless workers outside the safety of the corporate firewall. That’s driven the need for a more secure approach than the virtual private network, or VPN, which is supposed to be a “secure tunnel” from a client device to a protected corporate network but has actually turned out to be highly vulnerable. For instance, the 2021 ransomware attack against Colonial Pipeline, which led to gas shortages across the Southeastern U.S., stemmed from a compromised VPN password.

‘More confusion than clarity’

Some security product categories are overtly associated with zero trust, such as zero trust network access, which is a VPN replacement that’s built around zero trust principles. For instance, zero trust network access tools can use additional data sources to verify a user beyond just their credentials, such as their location or the security posture of their device.

But deploying that particular technology doesn’t single-handedly achieve zero trust. And given the fact that zero trust does incorporate a variety of different technologies, that’s led a number of cybersecurity vendors to take some liberties with the term.

At the RSA security conference in June, for instance, “every vendor on the show floor had zero trust in their marketing, to some degree,” Forrester’s Mullins said. “It’s created more confusion than clarity.”

That brings up the second question: What isn’t zero trust?

For starters, “It isn’t every single security control in your environment,” said Andrew Rubin, co-founder and CEO of zero trust segmentation vendor Illumio, during Protocol’s recent panel.

In particular, traditional firewalls meant to support the corporate “perimeter” are clearly not capable of helping with zero trust.

That hasn’t stopped vendors that offer traditional network firewalls and VPNs, which “all try to claim they are zero trust,” said Jay Chaudhry, founder and CEO of Zscaler, a major zero trust network access vendor, in an interview with Protocol in June.

“Zero trust was created to overcome the network architecture,” Chaudhry said. “Firewalls and VPNs, versus zero trust, are fundamentally opposite."

“Don’t listen to a vendor when they talk about [the definition of] zero trust. It is going to be biased.”

Zero trust is a “complete paradigm change,” according to Cloudflare’s Prince, and “there is a natural inclination to try to get everything old to fit into the new paradigm.”

“Anytime that you’re talking about a perimeter, then you’re probably not in a zero trust model for how this new paradigm works,” he said.

Rather than placing limits on what users are trusted to do, fundamentally, the traditional network security approach was about defining the trusted local area network, Prince noted.

“And so when I hear traditional firewall vendors saying, ‘We’re doing zero trust,’ that’s where I’m like, ‘That just doesn’t make any sense,’” he said.

Who can you trust?

Kapil Raina, vice president of zero trust marketing at CrowdStrike, has a rule of thumb for determining if a product has anything to do with zero trust or not: Check it against the National Institute of Standards and Technology.

According to NIST’s 2020 publication on zero trust architecture, the crux of zero trust is around secure access — and making sure that the right people have it and that the wrong people do not. “The goal [is] to prevent unauthorized access to data and services coupled with making the access control enforcement as granular as possible,” the publication’s authors said.

If a security product lines up with something in that document, then it has a valid claim to helping to achieve zero trust, Raina said. Despite working for a major security vendor, his best advice is to trust NIST, not the industry.

“Don’t listen to a vendor when they talk about [the definition of] zero trust,” he said. “It is going to be biased.”

Anybody who claims they can deliver zero trust quickly or easily should also be treated as suspect, according to Mullins. Most organizations are still in the early stages of working toward a zero trust security posture because it takes time, he said.

“You’re not going to do it in a year,” Mullins said. “If you can do zero trust in a year, please call me and tell me how you did it.”


Judge Zia Faruqui is trying to teach you crypto, one ‘SNL’ reference at a time

His decisions on major cryptocurrency cases have quoted "The Big Lebowski," "SNL," and "Dr. Strangelove." That’s because he wants you — yes, you — to read them.

The ways Zia Faruqui (right) has weighed on cases that have come before him can give lawyers clues as to what legal frameworks will pass muster.

Photo: Carolyn Van Houten/The Washington Post via Getty Images

“Cryptocurrency and related software analytics tools are ‘The wave of the future, Dude. One hundred percent electronic.’”

That’s not a quote from "The Big Lebowski" — at least, not directly. It’s a quote from a Washington, D.C., district court memorandum opinion on the role cryptocurrency analytics tools can play in government investigations. The author is Magistrate Judge Zia Faruqui.

Keep ReadingShow less
Veronica Irwin

Veronica Irwin (@vronirwin) is a San Francisco-based reporter at Protocol covering fintech. Previously she was at the San Francisco Examiner, covering tech from a hyper-local angle. Before that, her byline was featured in SF Weekly, The Nation, Techworker, Ms. Magazine and The Frisc.

The financial technology transformation is driving competition, creating consumer choice, and shaping the future of finance. Hear from seven fintech leaders who are reshaping the future of finance, and join the inaugural Financial Technology Association Fintech Summit to learn more.

Keep ReadingShow less
The Financial Technology Association (FTA) represents industry leaders shaping the future of finance. We champion the power of technology-centered financial services and advocate for the modernization of financial regulation to support inclusion and responsible innovation.

AWS CEO: The cloud isn’t just about technology

As AWS preps for its annual re:Invent conference, Adam Selipsky talks product strategy, support for hybrid environments, and the value of the cloud in uncertain economic times.

Photo: Noah Berger/Getty Images for Amazon Web Services

AWS is gearing up for re:Invent, its annual cloud computing conference where announcements this year are expected to focus on its end-to-end data strategy and delivering new industry-specific services.

It will be the second re:Invent with CEO Adam Selipsky as leader of the industry’s largest cloud provider after his return last year to AWS from data visualization company Tableau Software.

Keep ReadingShow less
Donna Goodison

Donna Goodison (@dgoodison) is Protocol's senior reporter focusing on enterprise infrastructure technology, from the 'Big 3' cloud computing providers to data centers. She previously covered the public cloud at CRN after 15 years as a business reporter for the Boston Herald. Based in Massachusetts, she also has worked as a Boston Globe freelancer, business reporter at the Boston Business Journal and real estate reporter at Banker & Tradesman after toiling at weekly newspapers.

Image: Protocol

We launched Protocol in February 2020 to cover the evolving power center of tech. It is with deep sadness that just under three years later, we are winding down the publication.

As of today, we will not publish any more stories. All of our newsletters, apart from our flagship, Source Code, will no longer be sent. Source Code will be published and sent for the next few weeks, but it will also close down in December.

Keep ReadingShow less
Bennett Richardson

Bennett Richardson ( @bennettrich) is the president of Protocol. Prior to joining Protocol in 2019, Bennett was executive director of global strategic partnerships at POLITICO, where he led strategic growth efforts including POLITICO's European expansion in Brussels and POLITICO's creative agency POLITICO Focus during his six years with the company. Prior to POLITICO, Bennett was co-founder and CMO of Hinge, the mobile dating company recently acquired by Match Group. Bennett began his career in digital and social brand marketing working with major brands across tech, energy, and health care at leading marketing and communications agencies including Edelman and GMMB. Bennett is originally from Portland, Maine, and received his bachelor's degree from Colgate University.


Why large enterprises struggle to find suitable platforms for MLops

As companies expand their use of AI beyond running just a few machine learning models, and as larger enterprises go from deploying hundreds of models to thousands and even millions of models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

As companies expand their use of AI beyond running just a few machine learning models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

Photo: artpartner-images via Getty Images

On any given day, Lily AI runs hundreds of machine learning models using computer vision and natural language processing that are customized for its retail and ecommerce clients to make website product recommendations, forecast demand, and plan merchandising. But this spring when the company was in the market for a machine learning operations platform to manage its expanding model roster, it wasn’t easy to find a suitable off-the-shelf system that could handle such a large number of models in deployment while also meeting other criteria.

Some MLops platforms are not well-suited for maintaining even more than 10 machine learning models when it comes to keeping track of data, navigating their user interfaces, or reporting capabilities, Matthew Nokleby, machine learning manager for Lily AI’s product intelligence team, told Protocol earlier this year. “The duct tape starts to show,” he said.

Keep ReadingShow less
Kate Kaye

Kate Kaye is an award-winning multimedia reporter digging deep and telling print, digital and audio stories. She covers AI and data for Protocol. Her reporting on AI and tech ethics issues has been published in OneZero, Fast Company, MIT Technology Review, CityLab, Ad Age and Digiday and heard on NPR. Kate is the creator of RedTailMedia.org and is the author of "Campaign '08: A Turning Point for Digital Media," a book about how the 2008 presidential campaigns used digital media and data.

Latest Stories