Does Anyone Trust Zero Trust?

Has there been a more over-used term within IT security over the past few years than “zero trust”?

Answers in the virtual black box at the back of the virtual room (in the virtual universe). I mean, it is kind of fundamental – that’s why we lock the doors to our house? However, as topic debates go, it’s as big as ever – as validated in a recent online Netevents debates discussing the very topic in terms of what is myth and what is reality? The entire debate can be found here:

https://www.netevents.org/events/exploring-the-myths-of-zero-trust/

For the purposes of this blog, however, I will simply set the scene by highlighting the question I asked the panel, along with their responses:

Q: ‘Ultimate Zero Trust would literally mean that every single access, message, thread – you name it, even down to packet and byte level, into and within a network – to cover off potential spoofs and internal hacks – would have to be validated, which is clearly unworkable. The ultimate “walled garden” in IT terms was the mainframe – a single entry/exit point. But, as soon as you put a back door into a walled garden – e.g., modem access for support into a mainframe – that zero-trust model becomes potentially invalidated. Apply this concept to a modern, hybrid network of preposterous complexity and how many back doors are there going to be out there?’

And here is a summary of the responses:

Galeal Zino, Founder & CEO, NetFoundry

“This is correct. There’s always a way in, especially in modern architectures as I pointed out (referring to SD-WAN and MPLS, for example). The problem is, the land is the attack surface, right? It’s the very roads that for example, the ransomware uses to go find some interesting data to incorrect. It’s the very roads that various viruses or malware take to get to interesting places. So, when we actually eliminate the SD, wham eliminate the MPLS whim, then those roads don’t exist.”

Vivek Bhandari, Senior Director of Product Marketing, Networking & Security, VMware

“I think that question in itself brings out the complexity that customers are dealing with. Yes, absolutely. There are just too many ways in you have to assume the attacker is in the network and you enable the capabilities, a lot of the stuff we talked about to really identify right those things so again, behaviour-based techniques, anomalies, having the right checkpoints along your networks is important. You can’t simply assume you will catch everything only at the endpoint or with identity because look, attackers are using very creative mechanisms you’re exploiting vulnerabilities, and you absolutely need those ability to inspect the traffic that’s inside, right because you’re not going to trust it. And so, the right checkpoints, the right techniques at scale, right in a modern way where you don’t have to sort of go to just centralized solutions can help customers solve that problem?”

Chris Kent, Senior Director, Product Marketing, Hashicorp

“I think to layer onto that. One of the interesting things that Galeal brought up and I fully agree here, is if you’re if you’re bringing the security up to like the application or service layer, essentially what you’re saying is like an instance application can talk to Database A, and that is physically the only communication that can occur. Anything else like people, other services, everything else is just blocked out by default? You’re kind of creating a secure vacuum between those two. And I think that’s part of where there’s this shift happening in mindset between this kind of, like legacy world of, you know, we own the network and we own the different kind of components where you’re just saying, No, I’m just gonna make sure like with like mutual TLS let’s say that these two things identify with their own kind of thing. So like, let’s say it’s a public cert, you know, a CA type of thing that can verify this is application a, this can verify this database A and these two are the only two things that can talk and everything else is restricted. So I think at that level, you can scale that out indefinitely without ever having to kind of map out these kind of different endpoints or kind of backdoors if you will.”

As, ever – with a debate between vendors, each has their own standpoint, but what is clear is that – as a concept – zero trust is anything but… In my next blog I shall explore one vendors’ efforts in redefining the “concept” to bring some true context to it.