David Papp Blog

What is Zero Trust?

For years now, a concept called “zero trust” has been used a cybersecurity catchphrase. It’s caught on so much that a notoriously dilatory federal IT apparatus is using the term. But one of the biggest barriers to adopting this next-generation security model is the amount of confusion these term brings.

What does it actually mean?

With cyberattacks like business email compromise, phishing, and ransomware attacks on the rise, something needs to be done and soon.

The Old Ways

To understand what zero trust is, it’s important to know the core concept. At the core of it, zero trust relates to a shift in how organizations conceive their networks and their IT infrastructure. Under the old model that businesses use, computers, servers, and all the other devices are physically inside of a physical office building. All of them are on the same network and are trusted amongst each other.

The computer you have a work can easily be connected to the print on the floor you’re on or could get a team document from a shared server.

For security measures, firewalls and antivirus were set up for them to see anything outside of the organization as a bad thing and block it. These measures would never look inside of a network and scrutinize any piece of internal information.

From this model alone, you can see how those can be problems. Especially with the explosion of mobile devices, cloud services, and even remote work on the rise. Organizations now can’t physically control every single device employees use.

And even if they could, the old model wasn’t the best model to have.

You have scenarios where if an attacker ever slipped by the defenses – either remotely or physically – the network would immediately grant them trust and freedom to do whatever. When it comes to security it’s not simple as “outside is bad, and inside is good.”

The New Way

What this new model brings is that instead of trusting particular devices or connections, zero trust demands that people prove that they should be given access. What it means in practice is that you’ll be logging into a corporate account with biometrics or a hardware security key on top of your typical username and passwords.

All these measures are in place to make it harder for attackers to impersonate users.

And even once that’s all done, you only get access on a need-to-know or need-to-access basis. If you’re not invoicing contractors as part of your job, the account you log into shouldn’t give you access to the billing platform at all.

Delving deeper, advocates of this program start to sound a bit like a religious experience when explaining it. They consistently emphasize how zero trust systems aren’t just a single piece of software that you just install or is a box you tick on a menu screen.

Instead, they see it as a philosophy, concepts, a mantra, or a mindset. They talk about it in this fashion in an attempt to reclaim it from marketing doublespeak or promotional T-shirts that have used zero trust as some magic bullet.

Implementation is Difficult Though

Because there is so much confusion around the real meaning and purpose of this, it’s harder for people to implement these ideas into practice. That being said, people are in agreement with the overall goals and purpose behind the use of the phrase. However executives or IT administrators can easily be led astray with the concept and implement protections that only reinforce old methods rather than bring in anything new.

Cloud providers do have an easier time though since they’ve baked zero-trust concepts into their platforms. However, with everyone using zero trust to describe any security feature, it can be difficult to understand what it all means.

Yet the biggest blockade to implementation is that a lot of our existing infrastructure is designed under the older models. It’s very difficult to implement new systems since both methods are fundamentally different.

There are very high risks of nothing getting done from projects where zero trust ideas are working to implement into legacy systems let alone rearchitect those systems.

We can also see this in the USA federal government implementation. They use a hodgepodge of vendors and legacy systems that will require time investment and money to overhaul those systems.

Zero Trust Will Take a Lot of Time

Despite all of the hurdles that zero trust is facing, it doesn’t mean it will never be implemented. Security professionals who are paid to hack organizations and discover digital weaknesses – known as red teams – have started studying what it takes to break into these zero-trust networks.

It’s going to take time for many organizations to fully grasp the benefits of this approach over the systems we’ve relied on for decades. However, the abstract nature of this concept does have its benefits. This abstract nature would be able to become more flexible and could even last for a long time while specific software tools will eventually die out. All in all, it does look promising and is part of the future.